Last updated on November 16th, 2022 at 04:43 pm
This post is a quick one but a convenient recommendation.
If you need to add an additional ISP to a Palo Alto Networks (PAN) firewall with an existing ISP circuit, place the second in its own Virtual Router (VR). During the day, I added a second ISP that I put in its own VR, which did not impact the existing ISP and its traffic. This also allowed us and the second ISP to test their circuit without impacting current Internet traffic. A static route for the second ISP is not applied to the existing VR but added to the additional VR, as adding a static route to the existing VR may negatively impact that traffic or ISP.
A Management Profile allowing ping can be used on the second ISP interface for testing.
If testing is successful, then doing it this way allows time to schedule a maintenance window to place the second ISP into production.
This article is the inspiration for this post and integrating the second VR and ISP into production.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO
Example Configuration
Here is the interface configuration for the second ISP. The VR is ISP2, and a Management Profile, Ping, is applied to enable ping for testing. NOTE: It’s best to remove this Management Profile or use one locked down with a source. Otherwise, all of the Internet will be able to ping this interface.
Here is the list of Virtual Routers on the firewall with the new ISP2 VR for the second ISP. Static Routes is 1, as the default route to ISP 2.
The static default route in VR ISP2 for the second ISP.
Copyright © Packet Passers 2024