PAN Dual ISP Failver Best Practices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN Dual ISP Failver Best Practices

L4 Transporter

I have setup dozens of PANs with multiple ISPs and failover but have some questions in regards to best practices..

1. Is PBF the only way to handle failover? If not, can the same be achieved via HA Link/path monitoring or is that specifically for device/firewall failover?

2. This is mostly in regards to what is processed first in the firewall. If you setup two ISPs, are there any issues with putting them in the same zone so you can manage them as a single zone from a security perspective? My question mostly revolves around NAT. If you have two NAT policies which match Internal to External but the policies have two different source NAT IPs.. will the firewall look at the PBF table, see which interface it is going to go out of, then apply the appropriate NAT policy? Or do you have to put the ISPs in separate zones?

11 REPLIES 11

L4 Transporter

Well nevermind on question two. I tested it and no for sure you can NAT just fine with all ISPs being on same zone.

Is it possible that if you have say dual ISPs and you are hosting a publicly accessible web server.. that it be accessible on the public IP of either ISP at any given time?

The current setups have it where it is only accessible on the active ISP line due to the PBF rules.

If you want to access publicly hosted web-server through both Public IP  addresses, how your DNS server will resolve one URL into 2 different IPs..?

Thanks

Yeah I understand DNS can only have a single A record mapping to an IP at a time. I'm not sure I have a practical use-case scenario for what I'm asking.. just curious if it is possible from a routing perspective in the PAN.

L3 Networker

I had a client that had a similar requirement.  They have 2 ISPs with NAT separate for each.  They had a couple of DNATs and wanted to use Global Protect as well.  The fun part was that they wanted failover setup but they wanted both WAN links available at the same time.  The plan was to manually change DNS when there was a failure but once it was back online they didn't have to make the DNS change right away.  So DNATs & GP would always operate.

What I had to do was to put both WAN interfaces into separate VRs.  Since I was doing failover as well, I also had to setup PBF.  It was the only way I could keep routing synchronous.  When I tried to create PBFs to do it they just wouldn't honor the rule and if traffic came in on 1 WAN link while the failover PBF was in place routing became circular.  I also had to setup routing across VRs to make traffic flow properly and ran into performance issues.

When you did that, did you put the ISPs in the same or separate zones?

L3 Networker

The ISPs were put into the same zone.  That was about the only nice thing about it.  It made applying security policies easier.

I agree. This is my first implementation with putting both ISPs in the same zone. I seemed to be having mixed results.. specifically with bi-drectional NAT policies. Traffic doesn't seem to match on them correctly. If I however change it from a bi-directional policy to two separate NAT policies (one to NAT in and one to NAT out) for a given server and both public IPs, it starts matching correctly.

Jay kay. The nat policies were fine. I thought they were broken because email flow was not working. Turns out, the new fiber ISP in the area blocks all inbound/outbound port 25 by default. Wonderful times.

L3 Networker

Sounds like you answered your own question but here's what I did.

I only have DNATs & SNATs.  The DNATs were port translations mainly because 1 was legacy and the other I only had the interface IP to work with.

The performance issues I never had a chance to troubleshoot.  The migration was a rush job and I was fitting into several already scheduled projects.  By the time I had the time to troubleshoot, the client had work with PAN support to solve the issue.  From what I understand, they spent a long time and several calls to figure it out but I never heard what the solution was.

I have to LOL on the port 25.  I didn't know anyone still blocked 25 anymore on a business class internet connection.  Even if it's just a cable modem connection.  🙂

Although, on this particular job, they had a 100Mb cable modem connection and the provider was still tying the connection to the first MAC address it saw.  That was fun.

Yeah we can alll LOL at the smtp issue after the fact. Smiley Happy

And it's not even like this was some lowly business class DSL service. It's enterprise grade fiber. (50 down/up).

In our area, we have a cable modem provider that still ties the connection to the first MAC address. When I switch them to a new firewall and tell them they have to reboot the modem.. I feel barbaric. 🙂

  • 6097 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!