The deployment of dual WAN firewall solutions in branch offices is often required to ensure fail-over for unreliable WAN connections. This type of deployment however can add additional complexity compared to a full BGP setup using capable routers. With full BGP fail-over being cost prohibitive, we can however implement the next best thing using policy based routing.
Policy based routing can become quite unwieldy as it can cause the routing of traffic to become quite unclear to an administrator. However if kept simple and used under the right circumstances, for example, a dual wan branch setup. It can be deployed very flexibly to provide either Primary WAN with backup or Active/Active setup or even a combination of the two.
The way to implement this for Palo Alto firewalls at the branch site is to do the following.
1. Dual VRs with all default traffic via the secondary VR and a primary VR with a default route with a lower metric and all RFC1918 routes back to the secondary VR.
2. Policy based routing to direct both default Web and tunnel traffic via the primary wan and tunnel
3. Dual tunnels setup to ensure HQ is accessible via either WAN in the event of failure
The setup documentation to follow for the Palo Alto side is the following :
The guide provides some good images of the setup steps required. Now there are some points to make that the documentation doesn’t cover. It is possible to configure tunnel monitoring using the tunnels themselves but this obviously requires the tunnels to be both numbered and configured with a management profile to allow ping. The things to watch out for are to ensure there is a lower metric on the primary default route.
The document I used for the Netscreen setup was the following:
There really aren’t any gotchas that I encountered. The setup works with equal metric tunnel routes.
Once you have the basic networking setup then it is on to the policy setup defining what traffic is actually allowed across the tunnels. There is a whole series on layer 2 redundancy that I could go over but I think I’ll leave that for another post!