PA220 PANOS 8.0.7 Dual ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA220 PANOS 8.0.7 Dual ISP

L2 Linker

Hello Everyone

 

I know there is a fair amount of information on this topic but I have a few issues/questions

 

I have a PA220 with PANOS 8,0,7. My questions are relating to dual ISP connectivity. I would like to setup my PA with a backup ISP connection. I do have IPsec tunnels. But I am allowing for the second tunnel to negotiate when the backup ISP comes up. So both tunnels don't have to be "up and ready" 

 

I have read the following article which is based on 2 VRs with PBFs to push traffic to the primary ISP with monitoring. When monitoring fails it will "failover" to use the second ISP

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

I have also read the following article which I believe is now available in PANOS 8. This configuration use 2 default routes. The first 1 will have a lower metric. Let's say 10 with monitoring enabled and the second default route has a higher metric let's say 50. 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/static-routes/static-rout...

 

Basically can I achieve dual ISP with tunnels available on both untrusted ISP connections with the second article (default routes and path monitoring) Again I don't mind the short amount of time for tunnel negotiate. It's a branch office PA and I don't really want to configure 2 VRs.

 

Thank you, really appreciate any help on this

 

22 REPLIES 22

Hmm, I currently have a site that has one ISP but connects to two different data centers. I use the PBF to send all ptraffic down one tunnel and it works just fine. I also have a site that has 1 p2p connection and a VPN tunnel to the same data center and the PBF also seems to work just fine. I think the newer code fixed the behavior in the article you mentioned?

 

Perhaps @reaper can verify.

 

hi guys

 

please keep in mind the ipsec connection is a system sourced connection, so cannot be directed via pbf, but can via static routes, with or without separate VR depending on your needs (if the remote end has 2 ip's you won't need 2 VR necessarily because you can create 2 seperate identity ipsec connections)

 

the traffic you put on the tunnels is not system sourced so can be controlled by pbf

 

the 2 vr method is so you can create 2 'live' tunnels to the same endpoint, but as long as you can switch up parameters and add creative static routes, it is not mandatory

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

OK that makes more sense since my two tunnels are already up and connected. I do have static routes for the public IP endpoints of those tunnels and my PBF's only are for traffic behind the firewalls.

@reaper

 

Hello Yeah that would be good if you could give it a test in your lab.....id like to know the out come. 

@reaper

 

Wouldn't I need 2 tunnels....as 1 is for the ISP 1 and the other is for ISP 2.

 

Thank you.....

 

 

Are both sides PAN's?

@OtakarKlier

 

Unfortunately not 😞

@reaper hope your all good 

 

Did you manage to setup the route path monitoring lab?

 

Do you think it's okay to monitor both default routes?

 

Also I have setup tunnel monitoring.....I read you can configure this even if the tunnel is to a NON PA Device. Is this recommend? Anyway to truly test that the configured tunnel monitoring is doing as its meant to do?

 

Side note would you path monitor the tunnel routes if the tunnel monitoring is working. 

 

Another side note is there any issues with path monitoring any of my routes. As surely if the route fails path monitoring then it just gets remove from the RIB and FIB 

 

Cheers

 

 

  • 5716 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!