I am following this KB link to set this up https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK
1/ So the documents says i have to setup 2 source NATs for each interface. Can we getaway by using the interface as ANY in NAT rule? What is the best practice?
2/ What about destination interface for the traffic coming to our hosted web-servers, Should there also be 2 destination NAT's? ISP will be re-routing/advertising our subnet on the faild-over link for traffic destined to us.
3/ What happens to HA, we have firewalls in Active-Passive, with path-monitoring profiles enabled on them. Should we disable path monitoring with dual links?
If you are definitely trying to use Dual ISP with automatic VPN failover, I would follow the KB article exactly.
As for the NAT rules, you definitely need to definite ingress interfaces vs using ANY.
You should probably be using loopback IPs that are available on both ISPs, so that if 1 ISP fails, the 2nd ISP will still know about the 2nd loopback address and inbound/destination NAT can still work (need to test thoroughly)
As for path monitoring, yes... i would agreed to turn it off from the HA config, but you need to ensure path monitoring is configured in your virtual router. This way, if the VR determines the 1st ISP is down, then it can remove the route from the FIB table, and send traffic to the ISP, using the 2 NAT rule. This is why you MUST define, in your NAT, what addressed is to be used, based on the interface, to ensure the correct NAT statement/IP is used.
let us know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!