Dual ISP redundancy using Static Routes Path Monitoring Feature, for Traffic Failover
Objective
In Dual/Multiple ISP implementations, PBF has been traditionally used with separate VRs for traffic failover between the ISPs.
A new feature "Static Route Removal Based on Path Monitoring " has been introduced on version 8.0 and above.
This feature can be used to set up Dual/Multiple ISP configuration failover without using PBF.
This document explains the steps to configure the same.
Environment
- Palo Alto Networks Firewall.
- PAN-OS 8.0 and above.
- Multiple ISP connections terminated on the Firewall.
Procedure
Topology Diagram :
- ISP1 -- Ethernet 1/4 -- Primary ISP
- ISP2 -- Ethernet 1/5 -- Secondary ISP
- 10.75.75.15 is the Default Gateway on ISP1
- 10.75.34.11 is the Default Gateway on ISP2
Configuration :
Default Route configuration :
1. The default route through the Primary ISP has to be first configured. Path monitoring will also have to be added such that once the Path monitoring fails, this Default route will be removed from the Routing table.
Network > Virtual Routers > "VR name" > Static Routes > Add
2. Add and enable the Path monitoring for this route. The ISP Next-Hop IP address has been used as Destination IP in this case. However, any IP address in Internet can be used as per requirement.
Choose the source IP as the Primary ISP interface IP.
3. Configure another default route through the Secondary ISP (ISP2) for backup.
Use a higher Metric value so that this route is less preferred.
NAT Configuration :
Interface Specific NAT configuration will be needed to NAT the traffic based on the Egress WAN interface the traffic is routed through.
1. Configure Two NAT rules, each using one of the ISP interfaces.
In this case the Rule NAT-PrimaryInternet is configured for Ethernet 1/4 (Primary ISP) and Rule NAT-SecondaryInternet is for Ethernet 1/5 (Secondary ISP)
The source Subnets will have to be configured as per requirement.
Security Policy Configuration :
Both Ethernet 1/4 and Ethernet 1/5 interfaces have been configured under the same Security Zone.
Hence the same Security Policy can be used when traffic is going through either one of these WAN interfaces.
Policies > Security > Add
In case where each of these interfaces are configured in different Security Zones, make sure the policy includes both the zones in the "Destination Zone" section.
Verification :
Once the commit is completed, both the routes should be present in the Routing Table.
Network > Virtual Routers > VR name > More Runtime Stats > Routing Table.
However, only the route through the Primary ISP interface Ethernet 1/4 should be present on the Forwarding table.
The current Egress path can be verified using the Session Browser.
Monitor > Session Browser > Use the filter to narrow down the sessions.
In the session info shown Egress interface is Ethernet 1/4 which is the Primary ISP interface.
The NAT rule and Security Policy can be verified as well
The ISP failover can be tested by making the Path Monitoring IP address unreachable.
In this case the monitoring IP address is the Next Hop ISP IP address.
Once the Path Monitor fails a Critical Alert is logged in the System logs.
Monitor > Logs > System
The Forwarding Table should now have the Default Route through the Secondary ISP as that is the next preferred route.
The Default route through the Primary ISP will be removed from the Routing table until the Monitored IP is reachable again from the Primary WAN interface.
The new sessions through the firewall should now show the egress interface as Ethernet 1/5 which is the secondary WAN interface.
Once the reachability to the Path Monitoring IP address is restored, the Default route through the Primary WAN interface will be restored to the Routing table and the new traffic will start using the new route.
Another Critical System log will be logged showing that the Path Monitoring has recovered.
Additional Information
DUAL ISP VPN SITE TO SITE TUNNEL FAILOVER WITH STATIC ROUTE PATH-MONITORING
Ref. to Traditional method used :Configure Dual ISP with Traffic and VPN failover