This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Queries for DUAL ISP link

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Queries for DUAL ISP link

raji_toor
L4 Transporter

‎10-08-2019 08:56 AM

I am following this KB link to set this up https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

 

1/ So the documents says i have to setup 2 source NATs for each interface. Can we getaway by using the interface as ANY in NAT rule? What is the best practice?

2/ What about destination interface for the traffic coming to our hosted web-servers, Should there also be 2 destination NAT's? ISP will be re-routing/advertising our subnet on the faild-over link for traffic destined to us.

3/ What happens to HA, we have firewalls in Active-Passive, with path-monitoring profiles enabled on them. Should we disable path monitoring with dual links?

 

 

0 Likes Likes
2 REPLIES 2

S.Cantwell
Cyber Elite
Cyber Elite

‎10-08-2019 06:48 PM

If you are definitely trying to use Dual ISP with automatic VPN failover, I would follow the KB article exactly.

 

As for the NAT rules, you definitely need to definite ingress interfaces vs using ANY.

 

You should probably be using loopback IPs that are available on both ISPs, so that if 1 ISP fails, the 2nd ISP will still know about the 2nd loopback address and inbound/destination NAT can still work (need to test thoroughly)

 

As for path monitoring, yes... i would agreed to turn it off from the HA config, but you need to ensure path monitoring is configured in your virtual router.  This way, if the VR determines the 1st ISP is down, then it can remove the route from the FIB table, and send traffic to the ISP, using the 2 NAT rule.   This is why you MUST define, in your NAT, what addressed is to be used, based on the interface, to ensure the correct NAT statement/IP is used. 

 

More questions? 😛

 

let us know. 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

raji_toor
L4 Transporter
In response to S.Cantwell

‎10-09-2019 08:09 AM

@S.Cantwell Thanks for the answers. For us ISP providing L2/L3 still remains the same, its only physical link that goes to two different ISP's so that is not an issue. So I would be duplicating both the below NAT rules as an example with each destination interface, correct?

 

image.png

0 Likes Likes
  • 2694 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks