Listen to this Post
Configuring path monitoring with dual ISP in Palo Alto firewalls ensures high availability and seamless failover. Below is a detailed guide with verified commands and steps.
1. Add Cloud0 Management for Internet Access
Ensure Cloud0 is enabled for management access:
configure set deviceconfig system external-management-interface cloud commit
2. Configure the Management Interface
Assign an IP and enable management services:
set deviceconfig system ip-address 192.168.1.1 netmask 255.255.255.0 set deviceconfig system default-gateway 192.168.1.254 set deviceconfig system dns-setting servers primary 8.8.8.8 commit
3. Create Security Zones
Define security zones (Trust, Untrust-ISP1, Untrust-ISP2):
set zone network Trust set zone network Untrust-ISP1 set zone network Untrust-ISP2 commit
4. Configure Interfaces & Map Zones
Assign interfaces to zones (e.g., Ethernet1/1 for ISP1, Ethernet1/2 for ISP2):
set network interface ethernet1/1 layer3 ip 203.0.113.1/30 zone Untrust-ISP1 set network interface ethernet1/2 layer3 ip 198.51.100.1/30 zone Untrust-ISP2 commit
- Configure Default Static Routes with Path Monitoring
Set default routes for both ISPs and enable monitoring:set network virtual-router default routing-table ip static-route ISP1 route 0.0.0.0/0 nexthop ip-address 203.0.113.2 set network virtual-router default routing-table ip static-route ISP1 path-monitor enable set network virtual-router default routing-table ip static-route ISP1 path-monitor failure-condition any set network virtual-router default routing-table ip static-route ISP2 route 0.0.0.0/0 nexthop ip-address 198.51.100.2 set network virtual-router default routing-table ip static-route ISP2 path-monitor enable commit
6. Create Security Policy for Trust-to-Untrust
Allow internal traffic to exit via either ISP:
set rulebase security rules "Allow-Outbound" from Trust to [Untrust-ISP1 Untrust-ISP2] source any destination any application any service any action allow commit
7. Configure NAT Policy
Set up source NAT for outbound traffic:
set rulebase nat rules "NAT-Outbound" from Trust to [Untrust-ISP1 Untrust-ISP2] source any destination any service any translated-address interface-ip commit
8. Configure ISP Routers
On Cisco routers (ISP1 & ISP2), ensure proper routing and NAT:
interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.252 ip nat outside ! ip route 0.0.0.0 0.0.0.0 203.0.113.1 ip nat inside source list INTERNAL interface Gi0/0 overload access-list INTERNAL permit 192.168.1.0 0.0.0.255
9. Test Failover
- Verify traffic flows via ISP1:
show routing route
- Shut down ISP1 and confirm failover to ISP2:
test routing fib-lookup 8.8.8.8
You Should Know:
- Path Monitoring Checks: Palo Alto uses ICMP pings by default. Customize with:
set network virtual-router default routing-table ip static-route ISP1 path-monitor monitor-profile "Custom-Ping"
- Log Verification: Check failover logs via:
show log system direction equal backward lines 50
What Undercode Say
Dual ISP setups in Palo Alto require precise routing, NAT, and monitoring. Key takeaways:
– Use `show session all` to verify traffic paths.
– `debug dataplane route` helps troubleshoot routing issues.
– For advanced monitoring, use test path-monitor static-route ISP1.
– Always verify NAT translations with show running nat-policy.
Expected Output:
- Traffic flows via primary ISP (ISP1).
- Upon ISP1 failure, logs confirm automatic switch to ISP2.
– `show routing fib-lookup` displays active routes.
For further reading:
References:
Reported By: Shamseer Siddiqui – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
