Palo Alto Networks Virtual Router for Testing an Additional ISP

rails, soft, tracks-3309912.jpg

Ad – Purchase on Amazon

Last updated on November 16th, 2022 at 04:43 pm

This post is a quick one but a convenient recommendation.

If you need to add an additional ISP to a Palo Alto Networks (PAN) firewall with an existing ISP circuit, place the second in its own Virtual Router (VR). During the day, I added a second ISP that I put in its own VR, which did not impact the existing ISP and its traffic. This also allowed us and the second ISP to test their circuit without impacting current Internet traffic. A static route for the second ISP is not applied to the existing VR but added to the additional VR, as adding a static route to the existing VR may negatively impact that traffic or ISP.

A Management Profile allowing ping can be used on the second ISP interface for testing.

If testing is successful, then doing it this way allows time to schedule a maintenance window to place the second ISP into production.

This article is the inspiration for this post and integrating the second VR and ISP into production.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO

Example Configuration

Here is the interface configuration for the second ISP. The VR is ISP2, and a Management Profile, Ping, is applied to enable ping for testing. NOTE: It’s best to remove this Management Profile or use one locked down with a source. Otherwise, all of the Internet will be able to ping this interface.

Second ISP Interface

Here is the list of Virtual Routers on the firewall with the new ISP2 VR for the second ISP. Static Routes is 1, as the default route to ISP 2.

VR List – ISP2 is the Second ISP

The static default route in VR ISP2 for the second ISP.

Second ISP Static Route

Copyright © Packet Passers 2024