I just spent three days going back and forth with Palo Alto support to figure out why something wasn't working, eventually tracing it to our Policy-Based-Forwarding ISP Failover rule shoving packets out the wrong interface but not actually making logs of it anywhere. I made another PBR rule to fix the problem, but this is not the first time using PBR has made a mess of something that should have been simple. It's even more frustrating because the results of it are almost completely opaque and not logged anywhere, and it's taken even PA support days to figure out why these packets were being dropped. My gut tells me there's a better way of doing ISP Failover.
We've got two PA-3020 firewalls in Active/Passive redundancy. We've got two ISPs, a 1gig primary and a 100mbit secondary. All traffic should use the 1gig primary unless it goes down, in which case we'd need it to all use the 100mbit secondary.
Currently, it's being done as follows:
- ISP2 default route has an admin distance of 10.
- ISP1 default route has an admin distance of 15.
- Policy-Based Forwarding rule (which takes precedence over the routing table) forces all traffic out to ISP1, while continually pinging 8.8.8.8 from our interface to ISP1.
- If the firewall can't reach 8.8.8.8 through ISP1, the PBR rule gets disabled. Packets will then be following rules of the routing table, and be routed to ISP2.
Is there a better way to be doing this? I inherited this environment about a year ago, and have been slowly cleaning up messes. This wouldn't be the first weird non-standard configuration that I've found.
No comments:
Post a Comment