12-02-2018 10:03 PM - edited 12-02-2018 10:04 PM
Hi, I have read a few articles regarding internet redundancy using a primary and backup ISP link on a single Palo but can someone please explain (if it's possible) how one might achieve redundancy using a primary ISP link on 1 Palo with failover to a backup ISP link on another Palo at a remote WAN site connected to the primary site via L3?
Cheers,
Michelle
12-03-2018 08:53 AM
Hello,
If I understand your question correctly, you want ISP A into the active (Primary PAN) and ISP B into the standby unit. Are you running Active/Passive or Active/Active?
If A/P on your HA, then this is possible with just the link and path monitoring. i.e. if the link or path for ISP A goesn down then the PAN triggers a failover to the standby unit.
I have A/P setup and do the same thing on my PAN's and use OSPF for them to learn routes.
Hope this helps.
12-03-2018 02:04 PM
Thanks for such a quick response! We do have an active/passive HA on the Primary PAN but I was told that for HA to work they need to be connected via a L2 connection so for us I don't think it's possible to have HA between primary and backup PAN's as we have a L3 WAN only. Please correct me if this is wrong and I will follow up with the engineer that implemented the HA. So we currently have 2 physical PANs in A/P HA at Primary site and 1 virtual PAN at backup site.
12-03-2018 02:19 PM
Hello,
This is doable since the HA port configs allow for gateways, etc. I would caution this approach however since if the wan link goes down, both PAN's become active, etc. I would advise a secondary link between the two for redundancy. Even somthing simple as a VPN tunnel, that way if the wan link goes down, the VPN takes over for the second site, etc.
Regards,
12-03-2018 02:26 PM
Hmmm ok perhaps this is why the engineer implemented the HA in the current layout then. Given we already have the backup PAN at the remote site then it is probably not necessary to screw with the HA config - unless of course this is required in order for me to set up the redundant ISP?
12-03-2018 02:30 PM
Hello,
So it all depends. I have seen this before however the priary site had a HA pair but traffic to the internet was routed out its independant site. Using OSPF we assigned costs to the routes so that siteA traffic went our PAN A, etc.
It really depends on the companies level of comfort with downtime and other requirements.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
