12-17-2020 11:15 PM
We have 2 ISP on our PA-850. We have 1 VR with both ISP set as the default route for primary and backup internet (different metrics) with a static route monitoring failover process. I have configured ISP1 for GP-gateway1 and and ISP2 for GP-gateway2. In this case, I wasn't able to connect to the second GP-gateway.
I tried configuring 2 VRs, ISP1 as default route for VR1 and ISP2 as default route for VR2. This way, I was able to connect to both GP gateway simultaneously. How do I do the failover in this scenario? What I want to achieve is, all traffic coming in from internal, ipsec and GlobalProtect regardless of the VR, will forward it on ISP1. If ISP1 will go down, all traffic will shift to ISP2.
Found this article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU8CAK
but it doesnt say anything about failover.
Is this doable by using policy based forwarding? if so, how do I configure it on the VRs including the ipsecs and GP tunnels.
12-18-2020 03:54 AM - edited 12-18-2020 04:01 AM
I would test using path-monitoring setup similar to the below and create the same for the second route on the SAME VR:
Once the ISP Peer becomes unreachable via ICMP it will remove it from the routing table and fall back to the failover default route:
And then create the same setup for the second VR
EDIT: Remember to set a higher metric for the failover route and note the failover route routes to the next VR
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!