PBF failover
Hello everyone
I have a question a customer wants to configure a PBF for fail over, but the interface is AE the customer has version 10.x gives me the option of AE and I configure everything else to do the failover.
When I do the commit, I get an error with the net hop and if I remove it if I let me pass the commit.
Do you know if in the AE interfaces it is necessary to put the ip of the next hop or can I leave it without an ip?
Greetings
Efrain Olmos
33 Views
Hi Efrain! Pbf policy should be more or less independent of it traversing a regular or an AE interface. The next hop part depends how you are trying to reroute traffic: if you're forwarding traffic to a router, you need to set a next hop (like an ISP uplink). If you're forwarding traffic to a vlan or vpn tunnel, you don't need a next hop. In which way does your customer want to achieve failover? The AE interface itself provides resilience against a failed link/switch If they need ISP redundancy you would typically set a pbf rule to forward traffic to isp1 and then a default route to isp2 Since you are on PAN-OS 10, you could also consider enabling ECMP and using both links at once