Dual ISP redundancy using Static Routes Path Monitoring Feature, for Traffic Failover

Dual ISP redundancy using Static Routes Path Monitoring Feature, for Traffic Failover

344383
Created On 04/01/19 05:34 AM - Last Modified 04/22/24 19:23 PM


Objective


In Dual/Multiple ISP implementations, PBF has been traditionally used with separate VRs for traffic failover between the ISPs. 
A new feature "Static Route Removal Based on Path Monitoring " has been introduced on version 8.0 and above.
This feature can be used to set up Dual/Multiple ISP configuration failover without using PBF. 
This document explains the steps to configure the same.
 


Environment


  • Palo Alto Networks Firewall.
  • PAN-OS 8.0 and above.
  • Multiple ISP connections terminated on the Firewall.
     


Procedure


Topology Diagram :
User-added image

  • ISP1 -- Ethernet 1/4 -- Primary ISP
  • ISP2 -- Ethernet 1/5 -- Secondary ISP
  • 10.75.75.15 is the Default Gateway on ISP1
  • 10.75.34.11 is the Default Gateway on ISP2

Configuration :
Default Route configuration :
1. The default route through the Primary ISP has to be first configured. Path monitoring will also have to be added such that once the Path monitoring fails, this Default route will be removed from the Routing table.
Network > Virtual Routers > "VR name" > Static Routes > Add


User-added image

2. Add and enable the Path monitoring for this route. The ISP Next-Hop IP address has been used as Destination IP in this case. However, any IP address in Internet can be used as per requirement.
Choose the source IP as the Primary ISP interface IP. 

User-added image

3. Configure another default route through the Secondary ISP (ISP2) for backup.
Use a higher Metric value so that this route is less preferred. 

User-added image

NAT Configuration :
Interface Specific NAT configuration will be needed to NAT the traffic based on the Egress WAN interface the traffic is routed through. 
1. Configure Two NAT rules, each using one of the ISP interfaces. 

User-added image

In this case the Rule NAT-PrimaryInternet is configured for Ethernet 1/4 (Primary ISP) and Rule NAT-SecondaryInternet is for Ethernet 1/5 (Secondary ISP)
The source Subnets will have to be configured as per requirement. 

Security Policy Configuration :
Both Ethernet 1/4 and Ethernet 1/5 interfaces have been configured under the same Security Zone.
Hence the same Security Policy can be used when traffic is going through either one of these WAN interfaces.
Policies > Security > Add
In case where each of these interfaces are configured in different Security Zones, make sure the policy includes both the zones in the "Destination Zone" section. 

Verification :
Once the commit is completed, both the routes should be present in the Routing Table.
Network > Virtual Routers > VR name > More Runtime Stats > Routing Table. 


User-added image

However, only the route through the Primary ISP interface Ethernet 1/4 should be present on the Forwarding table. 

User-added image

The current Egress path can be verified using the Session Browser. 
Monitor > Session Browser > Use the filter to narrow down the sessions. 

User-added image

In the session info shown Egress interface is Ethernet 1/4 which is the Primary ISP interface.
The NAT rule and Security Policy can be verified as well

The ISP failover can be tested by making the Path Monitoring IP address unreachable. 
In this case the monitoring IP address is the Next Hop ISP IP address. 
Once the Path Monitor fails a Critical Alert is logged in the System logs. 
Monitor > Logs > System

User-added image

The Forwarding Table should now have the Default Route through the Secondary ISP as that is the next preferred route. 
The Default route through the Primary ISP will be removed from the Routing table until the Monitored IP is reachable again from the Primary WAN interface.

User-added image

The new sessions through the firewall should now show the egress interface as Ethernet 1/5 which is the secondary WAN interface. 

User-added image

Once the reachability to the Path Monitoring IP address is restored, the Default route through the Primary WAN interface will be restored to the Routing table and the new traffic will start using the new route. 
Another Critical System log will be logged showing that the Path Monitoring has recovered. 

User-added image
 


Additional Information


DUAL ISP VPN SITE TO SITE TUNNEL FAILOVER WITH STATIC ROUTE PATH-MONITORING

Ref. to Traditional method used :
Configure Dual ISP with Traffic and VPN failover
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language