08-09-2014 10:49 AM
I have setup dozens of PANs with multiple ISPs and failover but have some questions in regards to best practices..
1. Is PBF the only way to handle failover? If not, can the same be achieved via HA Link/path monitoring or is that specifically for device/firewall failover?
2. This is mostly in regards to what is processed first in the firewall. If you setup two ISPs, are there any issues with putting them in the same zone so you can manage them as a single zone from a security perspective? My question mostly revolves around NAT. If you have two NAT policies which match Internal to External but the policies have two different source NAT IPs.. will the firewall look at the PBF table, see which interface it is going to go out of, then apply the appropriate NAT policy? Or do you have to put the ISPs in separate zones?
08-09-2014 01:45 PM
Is it possible that if you have say dual ISPs and you are hosting a publicly accessible web server.. that it be accessible on the public IP of either ISP at any given time?
The current setups have it where it is only accessible on the active ISP line due to the PBF rules.
08-10-2014 09:49 PM
If you want to access publicly hosted web-server through both Public IP addresses, how your DNS server will resolve one URL into 2 different IPs..?
Thanks
08-11-2014 05:26 AM
Yeah I understand DNS can only have a single A record mapping to an IP at a time. I'm not sure I have a practical use-case scenario for what I'm asking.. just curious if it is possible from a routing perspective in the PAN.
08-11-2014 04:56 PM
I had a client that had a similar requirement. They have 2 ISPs with NAT separate for each. They had a couple of DNATs and wanted to use Global Protect as well. The fun part was that they wanted failover setup but they wanted both WAN links available at the same time. The plan was to manually change DNS when there was a failure but once it was back online they didn't have to make the DNS change right away. So DNATs & GP would always operate.
What I had to do was to put both WAN interfaces into separate VRs. Since I was doing failover as well, I also had to setup PBF. It was the only way I could keep routing synchronous. When I tried to create PBFs to do it they just wouldn't honor the rule and if traffic came in on 1 WAN link while the failover PBF was in place routing became circular. I also had to setup routing across VRs to make traffic flow properly and ran into performance issues.
08-11-2014 05:50 PM
When you did that, did you put the ISPs in the same or separate zones?
08-11-2014 05:55 PM
The ISPs were put into the same zone. That was about the only nice thing about it. It made applying security policies easier.
08-11-2014 06:04 PM
I agree. This is my first implementation with putting both ISPs in the same zone. I seemed to be having mixed results.. specifically with bi-drectional NAT policies. Traffic doesn't seem to match on them correctly. If I however change it from a bi-directional policy to two separate NAT policies (one to NAT in and one to NAT out) for a given server and both public IPs, it starts matching correctly.
08-11-2014 07:16 PM
Jay kay. The nat policies were fine. I thought they were broken because email flow was not working. Turns out, the new fiber ISP in the area blocks all inbound/outbound port 25 by default. Wonderful times.
08-11-2014 09:46 PM
Sounds like you answered your own question but here's what I did.
I only have DNATs & SNATs. The DNATs were port translations mainly because 1 was legacy and the other I only had the interface IP to work with.
The performance issues I never had a chance to troubleshoot. The migration was a rush job and I was fitting into several already scheduled projects. By the time I had the time to troubleshoot, the client had work with PAN support to solve the issue. From what I understand, they spent a long time and several calls to figure it out but I never heard what the solution was.
I have to LOL on the port 25. I didn't know anyone still blocked 25 anymore on a business class internet connection. Even if it's just a cable modem connection. 🙂
Although, on this particular job, they had a 100Mb cable modem connection and the provider was still tying the connection to the first MAC address it saw. That was fun.
08-12-2014 06:56 AM
Yeah we can alll LOL at the smtp issue after the fact. 
And it's not even like this was some lowly business class DSL service. It's enterprise grade fiber. (50 down/up).
In our area, we have a cable modem provider that still ties the connection to the first MAC address. When I switch them to a new firewall and tell them they have to reboot the modem.. I feel barbaric. 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
