03-31-2017 03:11 AM
Hi Guys,
We have two isp links (ISP1 AND ISP2). We have defined to default gateways and set the ISP1 less priority so that all internal traffic will take ISP1.
for example
0.0.0.0/0 ethernet 1/1 next hop 76.45.146.22 admindistance 10 metric 1
0.0.0.0/0 ethernet 1/2 next hop 89.54.54.56 admindistance 10 metric 2
In this scenario. We have published SMTP via ISP1 AND our web server via ISP2.
My query is, when some one from internet access the web server it will go through via ISP2, get natted to public ip of the web server and will reach the server LOCAL which is in the DMZ. But... when the local server responds to the request, would it take ISP1 or ISP2?
03-31-2017 06:03 AM
This sounds like it would make a really good example for Policy Based Forwarding. Since your highest priority route for all traffic is ethernet1/1 the return traffic would attempt to take that route; however with a PBF policy configured you could actually specify that HTTP/HTTPS traffic from your webserver actually needs to Egress from ethernet1/2 next hop 89.54.54.56 and this would actually superseed the metric in your routing table.
03-31-2017 06:06 AM - edited 03-31-2017 06:08 AM
Yeah, PBF is the way to go. There you also have an option 'enforce symmetric return'. That way your server is visible on both ISPs all the time.
03-31-2017 04:34 AM
Hi
thanks for your comment! I'll move this topic over to the general discussion area as it was posted in the feedback board
03-31-2017 06:03 AM
This sounds like it would make a really good example for Policy Based Forwarding. Since your highest priority route for all traffic is ethernet1/1 the return traffic would attempt to take that route; however with a PBF policy configured you could actually specify that HTTP/HTTPS traffic from your webserver actually needs to Egress from ethernet1/2 next hop 89.54.54.56 and this would actually superseed the metric in your routing table.
03-31-2017 06:06 AM - edited 03-31-2017 06:08 AM
Yeah, PBF is the way to go. There you also have an option 'enforce symmetric return'. That way your server is visible on both ISPs all the time.
04-01-2017 01:47 PM
Thanks you.
I tried PBF with simetric routing. and it worked. i was having several discussion with palo alto engineers. because. currently we are migrating fortigate firewall to palo alto firewall. in Fortigate firewall the return traffic is taking the same path as it arrived even without PBF. As far as i understood firewall will notedown the ingress and egress interface in its session table. with that asumption and despite the face that fortigate does not have any PBF. we configured same configuration as the fortigate and failed the migration.
We learned in hard way...
Thanks for all for your comments.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
