07-19-2017 11:53 PM
I configured the PA-3020 with 3 ISP as below
1. ISP1-2Mbps DIA
2. ISP2-20Mbps DIA
3. ISP3-200Mbps DSL
I want to configure the PA as below
ISP1 for VPN access
ISP2 for Business applications traffic with QoS (like outlook traffic and etc.)
ISP3 for general browsing
Please suggest.
Thank you
Mohammed Ali
07-21-2017 10:08 AM
Hello,
I would suggest Policy Based Forwarding in this case. However without some kind of dynamic routing protocol for the external interfaces, you might have to use multiple virtual routers.
1VR for the Global Protect VPN
1VR for the browsing and Policy Based Forwarding
However if possible, I would say upgrade the 20M ISP to something higher and route all traffic over it and use the DLS as a failover circuit, just a thought.
Hope this helps.
07-22-2017 06:52 AM - edited 07-22-2017 07:01 AM
Hi @ali.mathur
To propose a good (/the best solution) I have some additional questions:
07-22-2017 10:49 PM
Hi vsys_remo,
Thanks for your reply. please find the below comment.
1. We need to identify the business application.
2. C2S VPN with full tunnel.
07-23-2017 03:23 AM
Hi @ali.mathur
So lets try to get this done ... but first I need to say, there will be no perfect solution if you have to rely on App-ID for PBF rules. There are always sessions that will not use the connection you want them to use ...
1. VPN access
There I see two options: the first (with one virtual router) is you use a loopback interface for your GP portal/gateway. There you assign a private IP for that loopback interface and a NAT rule that translates incoming packets to the ISP1 IP to the private IP of your loopback interface. In addition you have to create a PBF that somehow will do the same as the NAT rule. This PBF rule has to forwards the VPN traffic to the loopback interface, but the main reason you need this rule is to enable the option "enforce symmetric return" on VPN traffic. This will ensure that reply traffic from your firewall will use ISP1 connection. It is also needed because the default route will point to another ISP connection (actually ISP3).
The second possibility is, as already proposed by @OtakarKlier, use a dedicated virtual router for the external GP interface. This way you won't need the NAT or PBF rule mentionned above because the traffic has only one option (you will only assign ISP1 to this virtual router)
With the swcond option you attach the tunnel interface to the virtual router where you will also have ISP2 and 3
------------------
Before we no get to your business traffic you need to make a decision: do you wan't more low priority traffic on ISP2 and make sure that your business applications will use this connection or dou you accept that business traffic sessions also use ISP3 unless PA identifies them as the apps you specified and then new sessions to the same dst ip with the same port and protocol will be routed over to ISP2.
--> As you have a lot more bandwith on ISP3 I would use this one as primary
-------------------
2. Your business traffic: for this traffic you need to create your app-based PBF rule where you specify all the apps which are business traffic for your company. I would also reccomend that you specify a monitor profile and disable the PBF rule if the specified IP address (next hop at ISP2)
3. All other traffic: to route all other traffic to ISP3 you do not need to create a PBF rule, there you only need to set the default route to ISP3.
This way it should be possible to use all 3 ISP connections. In addition, all traffic coming in from the VPN clients to the internet (if you allow internet access for them) will also use ISP2 for business apps and ISP3 for all other internet connections.
But as mentionned in this post and also in your other topic. App based PBF rules are not recommended. If ever possible use layer 3 or 4 informations to specify what traffic needs to be routed to ISP2. So for example for things like office 365 microsoft publishes IP range lists. The informations from these lists you can use for IP based PBF rules. It may not always be possible to do it like this, but there are probably more services than you think where you will find IP informations on the internet which you can use in more reliable PBF rules.
If you have additional questions, feel free to ask.
Regards,
Remo
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
