Can I create a dual globalprotect gateway on my firewall with ISP failover?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Gabriel.Buldiman
L0 Member

Can I create a dual globalprotect gateway on my firewall with ISP failover?

We have 2 ISP on our PA-850. We have 1 VR with both ISP set as the default route for primary and backup internet (different metrics) with a static route monitoring failover process. I have configured ISP1 for GP-gateway1 and and ISP2 for GP-gateway2. In this case, I wasn't able to connect to the second GP-gateway.

 

I tried configuring 2 VRs, ISP1 as default route for VR1 and ISP2 as default route for VR2. This way, I was able to connect to both GP gateway simultaneously. How do I do the failover in this scenario? What I want to achieve is, all traffic coming in from internal, ipsec and GlobalProtect regardless of the VR, will forward it on ISP1. If ISP1 will go down, all traffic will shift to ISP2. 

 

Found this article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU8CAK

but it doesnt say anything about failover.

 

Is this doable by using policy based forwarding? if so, how do I configure it on the VRs including the ipsecs and GP tunnels.

Sarc845
L2 Linker

Hey Gabriel,

 

I would test using path-monitoring setup similar to the below and create the same for the second route on the SAME VR:

Sarc845_1-1608292418378.png

 

Once the ISP Peer becomes unreachable via ICMP it will remove it from the routing table and fall back to the failover default route:

 

Sarc845_0-1608293021250.png

 

 

 

And then create the same setup for the second VR

 

EDIT: Remember to set a higher metric for the failover route and note the failover route routes to the next VR

 

Stay Safe
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!