DotW: Multiple ISPs

DotW: Multiple ISPs

Created On 09/25/18 18:59 PM - Last Modified 06/13/23 02:56 AM


ISP redundancy and sharing and balancing traffic (load sharing and load balancing) are the most common reasons for connectivity to multiple ISPs. ISP redundancy comes into play when the primary ISP goes down and all traffic needs to to be routed to the backup ISP in order to prevent a network down situation.



Screen Shot 2015-11-09 at 10.26.00.png



For ISP redundancy, Palo Alto Networks offers a solution through policy-based forwarding (PBF) using the following setup:



Screen Shot 2015-11-09 at 15.00.35.png


In the above scenario, a PBF rule with path monitoring routes all traffic to the primary ISP.  If the path monitor finds the PBF path is no longer available, then traffic automatically begins flowing over the backup link.


To configure ISP redundancy, please refer to How to Configure ISP Redundancy.


Load sharing vs load balancing: These two terms are frequently misunderstood in networking. Often, load balancing is used when people are using load sharing.


Load sharing, as the term suggests, shares traffic across different links, but does not necessarily balance or evenly distribute the traffic.


Here's an example to clarify the difference between load sharing and load balancing:


PBF forces traffic from different subnets through the respective ISP.  In this scenario, all traffic from subnet is forwarded to ISP 1, and subnet is forwarded to ISP 2.



    • Rule 1: Subnet going to, next hop is ISP 1
    • Rule 2: Subnet going to, next hop is ISP 2


Subnet 1, however, can be much busier than Subnet 2, meaning  a lot more traffic goes out to ISP 1. Traffic is shared, in this case, over ISP 1 and ISP 2, but clearly not balanced, since more traffic goes out to ISP 1.


Load balancing, on the other hand, balances traffic evenly across different links.  


Palo Alto Networks supports load balancing. Proper load balancing requires ECMP (Equal-Cost Multi-Path) or per-packet/per-flow load balancing. Beginning with PAN-OS 7.0, Palo Alto Networks supports ECMP, as offered by Community member adiazm in discussing ECMP availability in PAN-OS 7.0.3. Read the full discussion about Multiple Active ISPs here.


Enabling ECMP allows the firewall to have up to four equal-cost paths to a destination in its forwarding table, allowing the firewall to:
  • Load balance flows (sessions) to the same destination over multiple equal-cost links.
  • Efficiently use all available bandwidth on links to the same destination rather than leave some links unused.
  • Dynamically shift traffic to another ECMP member to the same destination if a link fails, rather than having to wait for the routing protocol or RIB table to elect an alternative path/route. This can help reduce downtime when links fail.

Read more about ECMP, load-balancing algorithms, and configuration:



ECMP Load-Balancing Algorithms

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems


We always welcome comments and questions below in the comments section.


Thanks for reading.


Kim Wens


  • Print
  • Copy Link

Choose Language