Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Implement ECMP (Load Balancing) on the Firewall - Knowledge Base - Palo Alto Networks

How to Implement ECMP (Load Balancing) on the Firewall

259351
Created On 09/25/18 17:19 PM - Last Modified 01/30/25 18:54 PM


Objective


Equal Cost Multipath (ECMP) is a new feature introduced in PAN-OS 7.0. It provides multipath support for "equal cost" routes going to the same destination. There is a max of 4 equal cost paths supported

Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route.

ECMP load balancing is done at the session level, not at the packet level—the start of a new session is when the firewall (ECMP) chooses an equal-cost path

This article focuses on basic configuration to achieve ECMP on the firewall

Environment


  • PAN-OS 7.0 or higher.
  • ECMP (Equal Cost Multi-Path)

Procedure


Topology



Interface configuration:

Interface.png
Note: ethernet1/1 and ethernet1/11 are ISP interfaces configured in different zones L3-Untrust and VPN respectively. However, these interfaces can be configured in the same zone.


Route configuration with both default routes having "equal cost":

Screen Shot 2016-09-05 at 4.20.12 PM.png

NAT policy to be able to route traffic over internet:
NAT diff zone.png

Note: If both ISP interfaces are in the same zone, then destination interfaces need to be added to the NAT policy as in the following screenshot:
NAT same zone.png

Security policy configuration to allow the traffic: (covers both scenario when interfaces are in same or different zone)
Policy.png

Enabling ECMP on the firewall:
ECMP enable.png

Note:

  • Max Path 2 means that only 2 equal cost paths will be installed in the FIB table. If there are more than 2 equal-cost paths that need to be installed in FIB table, change Max Path value. Max supported value is 4.
  • Load balance method can be selected according to the requirement. For more information about load balance algorithm, please click here
  • Enable Symmetric Return if reply packet should be sent out the same interface that the request packet came in.
 

Additional Information


Verify ECMP is working:
Monitor > Traffic Logs (with different zone)
Screen Shot 2016-07-17 at 3.21.44 PM.png

Monitor > Traffic Logs (with same zone)
Screen Shot 2016-07-17 at 3.19.44 PM.png

Route installed for ECMP has a "E" flag in it:
Screen Shot 2016-07-17 at 3.22.34 PM.png
 

FIb table.png
Note: For detailed information on ECMP, please click here
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,644
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language