PBF and ipsec

Reply
L2 Linker

PBF and ipsec

HQ Network and Remote Network location are always through MPLS
PBF is configured with path monitoring for forwarding via MPLS and if mpls fails
traffic will be through ipsec_1 tunnel according to pbf created in palo alto.
How to configure in palo alto if both ipsec1 and mpls down so that traffic should pass through ipsec_2

@jdelio 

@vsys_remo 

@BPry 


Accepted Solutions
L7 Applicator

yes

the pbf rules can be set sequentially and will each perform monitoring to verify if they should be active, as long as 1 is active, 2 will not be hit, when 1's monitor fails 2 takes over and 3 will not be hit, as soon as 2's monitor fails it too will stop functioning and 3 will take over as last resort

lastly you can still resort to a static route

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
L7 Applicator

adding another PBF should do the trick (if the first bpf is set to a path monitor profile with fail-over as the action)

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L2 Linker

@reaper 

 

Create a PBF for MPLS and configure the monitor failover 

create a PBF for IPSEC-1 and configure the monitor failover

then create  PBF for IPSEC-2. (in this case, if mpls link and IPsec-1 link down then traffic will fail back to ipsec-2 )

Is it right ?

L7 Applicator

yes

the pbf rules can be set sequentially and will each perform monitoring to verify if they should be active, as long as 1 is active, 2 will not be hit, when 1's monitor fails 2 takes over and 3 will not be hit, as soon as 2's monitor fails it too will stop functioning and 3 will take over as last resort

lastly you can still resort to a static route

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!