This will overwrite all packets going to an unknown address originating from the GlobalProtect tunnel interface. There is no need for Symetric Return since the NAT will identify NATed sessions and translate it back to the initial internal IP. The next hop is the IP pointing to the ISP2 router that goes to the Internet. The PBF will modify routing behavior in the following way:Īll packets initiated from interface tunnel.1 that are heading for any other address other than directly connected LAN subnetwork or the directly connected ISP1 subnetwork should be forwarded to interface ethernet 1/3, going to ISP2.
Since we are passing the default route 0.0.0.0/0 to the GlobalProtect client, the default behavior of the firewall is to route the packets towards ISP1, because of the default route set up in the static routes of the Virtual Router. Source translation : dynamic IP and Port Interface : Ethernet 1/3 IP address: 10.193.17.1Īt this point, traffic should be able to reach ISP1 from LAN and ISP2 from GlobalProtect VPN that has yet to be configured.Source translation : dynamic IP and Port Interface : Ethernet 1/2 IP address: 192.168.2.11.The global IP will be the outgoing interface IP. In this example Dynamic IP and Port NAT is being used. In order for the outgoing traffic to be translated from internal IP addresses to outside IP addresses, we need to use some kind of Source NAT. Ĭonfigure basic networking and Security Policies to allow traffic between:Īllow traffic to the 2 ISPs by using NAT Rules The VPN traffic needs to reach the ISP2 Zone. Whenever VPN traffic is initiated by the customer, this traffic will be seen by the firewall as egress from the tunnel.1 interface and VPN Zone. In this configuration the tunnel.1 interface is placed in the Zone VPN. As such it can be configured in a zone of its own. This interface is a virtual interface that has all the features of a physical interface. A requirement for the VPN to function is a tunnel Layer 3 interface. GlobalProtect VPN will be configured soon. ISP2 is the GlobalProtect VPN traffic ISP. 1 ISP is preferred for LAN to Internet traffic - Default route towards ISP1.Simple Global Protect VPN Gateway/Portal and Client.Dual ISP connection in combination with VPN tunnels.One ISP link is used for non VPN traffic and the other is used exclusively for GlobalProtect VPN traffic.
#Palo alto networks vpn failover how to#
This document explains how to configure a Palo Alto Networks firewall that has a dual ISP connection in combination with GlobalProtect VPN.
0 kommentar(er)
