We have 2 ISP on our PA-850. We have 1 VR with both ISP set as the default route for primary and backup internet (different metrics) with a static route monitoring failover process. I have configured ISP1 for GP-gateway1 and and ISP2 for GP-gateway2. In this case, I wasn't able to connect to the second GP-gateway. I tried configuring 2 VRs, ISP1 as default route for VR1 and ISP2 as default route for VR2. This way, I was able to connect to both GP gateway simultaneously. How do I do the failover in this scenario? What I want to achieve is, all traffic coming in from internal, ipsec and GlobalProtect regardless of the VR, will forward it on ISP1. If ISP1 will go down, all traffic will shift to ISP2. Found this article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU8CAK but it doesnt say anything about failover. Is this doable by using policy based forwarding? if so, how do I configure it on the VRs including the ipsecs and GP tunnels.
... View more