Two Default gateways with different priority

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Two Default gateways with different priority

L1 Bithead

Hi Guys,

 

We have two isp links (ISP1 AND ISP2). We have defined to default gateways and set the ISP1 less priority so that all internal traffic will take ISP1.

 

for example

0.0.0.0/0 ethernet 1/1 next hop 76.45.146.22 admindistance 10 metric 1
0.0.0.0/0 ethernet 1/2 next hop 89.54.54.56 admindistance 10 metric 2

 

In this scenario. We have published SMTP via ISP1 AND our web server via ISP2.

 

My query is, when some one from internet access the web server it will go through via ISP2, get natted to public ip of the web server and will reach the server LOCAL which is in the DMZ. But... when the local server responds to the request, would it take ISP1 or ISP2?

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

This sounds like it would make a really good example for Policy Based Forwarding. Since your highest priority route for all traffic is ethernet1/1 the return traffic would attempt to take that route; however with a PBF policy configured you could actually specify that HTTP/HTTPS traffic from your webserver actually needs to Egress from ethernet1/2 next hop 89.54.54.56 and this would actually superseed the metric in your routing table. 

View solution in original post

Yeah, PBF is the way to go. There you also have an option 'enforce symmetric return'. That way your server is visible on both ISPs all the time.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi

 

thanks for your comment! I'll move this topic over to the general discussion area as it was posted in the feedback board

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

This sounds like it would make a really good example for Policy Based Forwarding. Since your highest priority route for all traffic is ethernet1/1 the return traffic would attempt to take that route; however with a PBF policy configured you could actually specify that HTTP/HTTPS traffic from your webserver actually needs to Egress from ethernet1/2 next hop 89.54.54.56 and this would actually superseed the metric in your routing table. 

Yeah, PBF is the way to go. There you also have an option 'enforce symmetric return'. That way your server is visible on both ISPs all the time.

Thanks you.

 

I tried PBF with simetric routing. and it worked. i was having several discussion with palo alto engineers. because. currently we are migrating fortigate firewall to palo alto firewall. in Fortigate firewall the return traffic is taking the same path as it arrived even without PBF. As far as i understood firewall will notedown the ingress and egress interface in its session table. with that asumption and despite the face that fortigate does not have any PBF. we configured same configuration as the fortigate and failed the migration.

 

We learned in hard way...

 

Thanks for all for your comments.

L1 Bithead

Secondary ISP not able to ping form external

I have two ISPs connected to my Palo Alto firewall:

1. ISP1 is in the ISP1 zone, with a default route metric value of 10.
2. ISP2 is in the ISP2 zone, with a default route metric value of 15.
3. Both ISPs are in the same virtual router.
I am facing an issue where I am unable to ping ISP2 from an external network.

The only time I am able to ping ISP2 from my home (public IP) is when I configure a static route on the Palo Alto firewall in the virtual router, pointing to the ISP2 interface.

Here are the configurations I have made on my Palo Alto firewall:

Security Policy: ISP2 to ISP2 — Allow all (any to any)
PBF (Policy-Based Forwarding): Configured with the following:
Source: ISP2, Source Address: any
Destination: any
Forwarding to ISP2 interface with Enforce Symmetric Return enabled
NAT Policy:
Source: ISP2, Destination: ISP2
Destination Interface: ISP2 interface
Source and Destination: any
Translated to Dynamic IP and Port, pointing to ISP2 interface

Could someone please assist me in resolving the issue?

  • 2 accepted solutions
  • 5551 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!