Otherwise, set up the PBF with monitoring and a route for the secondary tunnel. On the IPSec tunnel, enable monitoring with action failover if configuring the tunnels to connect to anther Palo Alto Networks firewall. If the backup VPN over ISP2 is already negotiated, that will speed up the failover process.įor each VPN tunnel, configure an IKE gateway.įor each VPN tunnel, configure an IPSec tunnel. If connectivity is to ISP1, it will failover to ISP2 as soon as possible. The reason for the multiple VRs is because both tunnels are up and running at the same time. Make sure to define the destination interface on the "Original Packet" tab for both Source NAT rules. Configure a Source NAT policy for both ISPs.Revert the traffic to use the routing table of the Secondary VR where all connected routes exist. As shown in the example below, set up the forwarding out of the Primary Interface, with monitoring to disable the rule, if the destination being monitored is not available.The firewall tells the PBF not to forward traffic destined to a private network, since it cannot route private addresses on the Internet (as there might be private network addresses that need to be forwarded out).To force the traffic out the Primary ISP interface, use the PBF Sourcing from the Trusted Zone:.Secondary VR routes for all connected interface will show up on the routing table as connected routes, and the route for the tunnel will be taken care of by Policy-Based Forwarded (PBF).Secondary VR has the Ethernet1/4 attached with all the other interfaces, as shown below:.
Palo alto networks vpn failover how to#
When the traffic is forced out the interface through the PBF, the traffic will know how to get back to the Secondary VR where the interfaces live.
A single device with two internet connections (High Availability).This document explains how to configure a Palo Alto Networks firewall that has a dual ISP connection in combination with VPN tunnels.
0 kommentar(er)
