11-18-2025 02:23 PM
Hi Everyone,
I’m looking for guidance on the best-practice way to set up redundant route-based VPN tunnels using BGP between a Palo Alto firewall (PA-VM) and a WatchGuard firewall. The goal is to implement primary/secondary failover with dynamic routing instead of static proxy-ID tunnels.
Palo Alto: PAN-OS 10.x VM-Series
WatchGuard: Firebox running latest firmware
Topology:
Two IPsec tunnels (Primary + Secondary)
Each terminates on different external IPs on both sides
Using Route-Based VPN on Palo Alto (tunnel.x interfaces)
Using Tunnel Interfaces / VTI-equivalent on WatchGuard
Goal:
Run BGP between PA <--> WG
Advertise internal subnets
Achieve seamless failover when one IPsec tunnel goes down
Avoid static proxy IDs and manual failover
I can bring up an IPsec SA on each tunnel individually using static proxy IDs.
Route-based tunnel (without proxy IDs) also comes up.
However, traffic flow between the subnets is inconsistent unless proxy IDs are manually configured.
Please advise if you have any specific article to configure this setup on PA VM and Watchguard Model M670
Thanks in advance for any guidance. I want to ensure this design is implemented cleanly and follows best
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
