Hi,
We are moving from Juniper ScreenOS SSG firewalls to PanOS 7.0.4, 3020 clustered firewalls.
On our Junipers we make use of a feature called track-ip for Interface failover between ISP's...This basically works by pinging a far device on the primary link, and after the PING failure limits being exceeded, the default route changes to that of our secondary ISP link/interface.
I'm not talking about VPN failover here, but default route / link failure/failover.
I asked this of Palo Alto support but got the following response: "The Path Monitoring feature monitors the full path through the network to mission-critical IP addresses to control failover. ICMP pings are used to verify reachability of the IP address. The default behavior is any one of the IP addresses becoming unreachable will cause the device to change the HA state to non-functional to indicate a failure of a monitored object."
This to me very much looks like a HA state config, and nothing to do with ISP link failover.
Upon speaking to someone else who is Palo accredited, they suggested using PBF, but I really don't like PBF. They then said that PanOS has a new feature called 'ECMP' and we might be able to make use of that?
Can anyone advise of a similar option of the Juniper ScreenOS 'track-ip' on the Palo Alto's?
Will ECMP work?
Is there and alternative, other than PBF?
Thanks,
John
... View more