Hi @msdphi
Is Palo alto side initiator here? I am assuming it and below are the configuration steps ( high level ).
On Palo Alto side, you need to configure two separate IPSEC tunnels towards client side ( towards ISP1 and ISP2 ). For both the tunnels, you will have same proxy IDs.
Let’s say you have configured tunnel.1 interface for the tunnel with ISP1 IP and tunnel.2 interface for tunnel with ISP2 IP.
Now you will add two static routes for tunnel destination hosts/network pointing to tunnel.1 and tunnel.2 interfaces. Here, keep higher metric on the route pointing towards tunnel.2 interface. e.g. 10 metric for the route pointing to tunnel.1 and metric 11 for the route pointing to tunnel.2 interface.
For failover, you need to use path monitoring on the static route pointing towards tunnel.1 i.e. your primary ISP.
For this, you need to assign IP address on the tunnel interface i.e. tunnel.1 and take one remote end IP which is responding to ping requests. So, you can configure that IP as a destination. Firewall will ping that IP during configured internals. If primary tunnel goes down, remote end IP will stop responding to the ping requests. As soon as path monitoring is detected as DOWN , the route pointing to tunnel.1 interface will be removed from the forwarding routing table. So, after that automatically, request will be send towards tunnel.2 interface which nothing but your backup tunnel.
Once primary tunnel is back online and remote IP starts pinging from primary tunnel interface, route towards tunnel.1 interface will be added back and traffic will be pointed to Primary tunnel with ISP1. For static route path monitoring, refer this .
Client team also need to handle all the required configuration on their end so they can accept traffic from Palo Also side.
