Problem with PBF with two ISP and two VR

clonesheep — Tue, 26 Jul 2022 15:30:06 GMT

Hi all,

I have a PA220 managed with Panorama. Very cool mgmt and very powerful. Only the PA220 is a bit slow.

My Situation - I have two internet connections (Eth 1/1 and 1/7) with fixed IP. Both have their own VR and therefore both have a null route. And both have own untrust1 and untrust2 zone.

All my clients 10.10.10.x/24 are in trust1 zone and can connect by vr1 to www. Now I will set some clients by a PBF Rule to go all www traffic forward to eth 1/7 and next hop the public IP from eth1/7.
It doesn't want to work the way I think it should.

In the traffic monitor I see the traffic that is also allowed. Zones are also allowed access, which fits. I have a suspicion that something is not working with the return route.

In vr2 I have already set a route that when it goes to network 10.10.10.x/24 it should go to the next VR1.
But that doesn't help either.

Anyone have an idea what it could be?
Have worked like this https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps#id1e130c06-0775-45d9-9f96-c416531fdb5f but there same routers are used.

Re: Problem with PBF with two ISP and two VR

SutareMayur — Thu, 28 Jul 2022 05:27:48 GMT

Hi @clonesheep ,

Can you check Symmetric Return settings on the router?

Select Enforce Symmetric Return to ensure that return traffic from the Corporate zone to the internet is forwarded out on the same interface through which traffic ingressed from the internet.

Ref article.

topic Problem with PBF with two ISP and two VR in Next-Generation Firewall Discussions

Problem with PBF with two ISP and two VR

Re: Problem with PBF with two ISP and two VR