WAN Failover Configuration for Palo Alto PA Series
Overview
Integrating cellular Internet access into a traditional, wireline data network is typically accomplished through one of three interfaces: USB aircards, embedded radios, or a dedicated cellular networking appliance. Of these methods, only the dedicated appliance provides a solution that can overcome the challenges of deploying reliable LTE connectivity.
Both USB aircards and embedded radios only capture cell signals as they are received from the equipment closet or server rack where the edge appliance resides (since both must integrate directly in/ on a host device). This is rarely where coverage is optimal. Aircards in particular present significant challenges due to their need for driver support, their lack of external antennas, and the short lifespan of these consumer-grade dongles.
LTE networking appliances are ideal for wireless WAN failover because they integrate with networks via Ethernet (or WiFi). To streamline cellular deployments, Digi's Cellular Extenders are optimized from the point of installation all the way through to data plan management. Setup is simplified when using a Remote Mounting Kit (RMK) -- the included (passive) PoE injector and temporary battery pack for site survey -- and Digi Cellular Extenders are set for IP passthrough by default to ensure the backup (cellular) WAN connection is completely controlled by the network's existing edge.
This document covers how to install a Digi Cellular Extender and configure it for failover with a third-party networking appliance. Since all Digi Cellular Extenders, the 6300-CX and 6310-DX, default to IP passthrough, most of the software settings described below apply to the third-party device referenced in this article. Requirements for dual-WAN configuration will vary depending on the make and firmware version of the edge appliance controlling the failover parameters.
Interoperability Matrix
When configuring dual-ISP failover within the Palo Alto Networks Operating System (PAN-OS), it is required that both WAN uplinks are assigned a static address (private or public).
See below for interoperability information of the hardware tested for this solution. It includes the firmware versions of both devices as well as the date of testing.
Date | PAN-OS Firmware | Cellular Extender Firmware |
---|---|---|
11/2018 | 5.0.6 | 18.4.54.41 |
Caveats
Good signal strength is required to maintain reliable cellular Internet access. A site survey should be performed prior to installing the Digi Cellular Extender. While network performance varies depending on the carrier and location, all deployments can be optimized to minimize the challenges presented by building materials, RF interferene, and other environmental constraints.
Using a Digi Celluler Extender for WAN failover assumes that an active Internet connection is available from another network interface set as the primary connection for the edge appliance. It is recommended that the Cellular Extender runs in IP passthrough mode to integrate seamlessly with existing IT infrastructure.
NOTE: The third-party appliance tested in this document was running its default configuration. If the steps outlined in this document interfere with existing customizations, or vice versa, consider backing up the edge appliance's current settings and testing failover functionality after temporarily erasing the third-party device's configuration.
Accelerated 6310-DX Setup
Initial Setup
Digi Cellular Extenders have a socket that houses the CORE 1002-CM Plug-In Modem in order to provide LTE connectivity. Prior to plugging in the modem, insert an active 2FF SIM card into either (or both) of the 1002-CM's two SIM slots.
After securing the plug-in module, cover the exposed side of the main appliance using the included faceplate and affix both antennas. The unit is now assembled for cellular network access.
|
Site Survey
The mounting bracket that comes with Digi Cellular Extenders presents multiple options for device placement. Perform a site survey to make an informed decision as to where the ideal on-site location for cellular services might be, based off of reception and proximity to the edge appliance.
Using the temporary battery pack, power up the unit and wait for it to establish a cellular connection before moving around to potential install locations -- see the LEDs section of this document for more information on the Digi Cellular Extender's various status indicators.
NOTE: If the Cellular Extender is having difficulties connecting to its LTE network, please refer to the article that covers Staging for Initial Connectivity.
|
Power Option 1: Remote Installation
Digi offers a Remote Mounting Kit (RMK) that includes 3 key components:
- Passive Power-over-Ethernet (PoE) Injector
- Temporary Battery Pack
- Install Accessories
Using the PoE injector, the Digi Cellular Extender can be powered up to 300 ft away from the unit's power supply using only the (Cat 5 or Cat 6) Ethernet cable that also integrates LTE data access into the network.
|
Power Option 2: Direct Installation
If optimal signal is readily available within range of a power outlet, Digi's Cellular Extenders can be connected directly to the included power supply and then integrated into the network using a standard Ethernet cable.
|
LEDs
Once power has been established, the Digi Cellular Extender will initialize and attempt to connect to a cellular network per the settings provisioned to its inserted SIM card. Device initialization may take several minutes as it joins an LTE network for the first time.
Indicator lights on the Wireless Strength Indicator update every 30 seconds to show the currently observed signal strength, while the Network Status Light updates to display the type of cellular connectivity available. Please refer to the following table for more information:
IP Passthrough
Digi Cellular Extenders are set by default with IP passthrough configured for the PoE-enabled Ethernet port, meaning any client device connected to the passthrough interface will receive the IP address directly assigned to the Cellular Extender's LTE radio.
It is suggested that IP passthrough is used when deploying a backup WAN connection into an edge appliance to ensure seamless network integration. With passthrough enabled the Cellular Extender will not directly control the routing of packets going to or from its LTE radio interface, instead deferring to the logic (routing tables and firewall policies) of the edge appliance.
To toggle IP passthrough on or off, please refer to the following configuration example: LAN port with IP passthrough. Note that this is only required for devices running non-standard configs.
Palo Alto Configuration
Refer to the steps outlined below for details on how to set PA Series firewalls for dual-WAN failover. Changes must be Committed before they are live on the appliance.
NOTE: Digi Support will assist in troubleshooting interoperability between the Digi Cellular Extender and a third-party appliance. However, support is limited to a *stock* configuration of the third-party device.
This means that the current (non-Digi) config will need to be backed up, either through a formal “export” feature or by taking notes/ screenshots of non-standard settings, leaving technicians in a position to configure the device as if it were brand new (therefore being able to rely on third-party vendor documentation).
If failover settings are validated but then break using the third-party appliance's non-standard production config, troubleshooting with third-party support may be required.
Removing the Default Virtual Wire
PA-Series firewalls come preconfigured with a default virtual wire interface between ports Ethernet 1/1 and Ethernet 1/2 (as well as a corresponding default sucrity policy and zone), used to effectively "bridge" two Ethernet ports. Delete these settings to prevent them from interfering with the dual-WAN configuraiton.
You must delete the configuration in the following order:
|
Creating Virtual Routers
Next, set interfaces that correspond to the intended Ethernet ports and functionality. This document assumes the primary ISP is connected to Ethernet 1/1 and that the LTE connection provided by the Digi Cellular Extender terminates to Ethernet 1/2. The remaining ports -- Ethernet 1/3 and Ethernet 1/4 -- are reserved for LAN access. WAN failover is accomplished on the Palo Alto Networks OS by setting up 2 "Virtual Routers" with varying priority, and then setting up static routes that dictate when available WAN uplinks are utilized based off of metric values associated with each route.
For this sample configuration, the primary ISP is associated with its own virtual router as the default WAN route so long as it is available. A second virtual router hosts the cellular ISP as well as the LAN ports. There are static routes associated with each virtual router that dynamically point oubtound traffic to the intended WAN interface depending on an available connection ince routes with metric values closer to (but greater than) 0 are honored first, and are prioritized accordingly across virtual routers.
Creating the first virtual router:
Creating the second virtual router:
Adding a "return" route to the first virtual router:
|
Security Settings
Additional steps are required to ensure seamless, secure routing regardless of which WAN is currently active (primary broadband or cellular failover). Notably, each interface needs to be assigned to its intended firewall zone and access to relevant services, policies and protocols must be set.
|
Failover Monitor
To dynamically route to either the primary ISP or cellular backup based off of the availability of the primary ISP, a policy-based forwarding (PBF) rule must be created to specify when the firewall should use its failover connection.
|
Testing the Backup WAN
Failover configuration is complete after working through the steps outlined above. Per this setup, the PA-Series firewall will route traffic out of its primary Ethernet WAN so long as it is online. The cellular connection becomes the primary outbound route should the primary WAN fail.
When simulating the loss of network connectivity, it is best to keep all Ethernet cables connected and simply remove the Internet connection to the ISP (e.g. the coax terminating to a broadband cable modem). This is to more closely emulate the conditions of a real-word network outage rather than a broken cable link.