https://live.paloaltonetworks.com/t5/next-generation-firewall/pbf-rule-monitoring-forced-egress-i-f/m-p/573809#M2491 <P>Rule state "Disabled" means that monitoring took PBF down.</P> <P>&nbsp;</P> <P>To troubleshoot:</P> <P>Uncheck "Disable this rule if nexthop/monitor ip is unreachable" to force PBF to be active.<BR />Generate some traffic that matches PBF.<BR />Go to Monitor &gt; Traffic and check logs.<BR />Did traffic flow work?<BR />Did you get any replies from ethernet1/2?<BR />Do you have source nat policy configured for traffic exiting ethernet1/2 interface?</P> <P>&nbsp;</P> <P>When you get traffic working then you can re-check "Disable this rule if nexthop/monitor ip is unreachable" checkbox to enable PBF rule monitoring.</P> Sun, 21 Jan 2024 13:38:37 GMT Raido_Rattameister 2024-01-21T13:38:37Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pbf-rule-monitoring-forced-egress-i-f/m-p/573791#M2489 <P>I have a dual ISP configuration.&nbsp; ethernet1/1 is primary Internet.&nbsp; ethernet1/2 is backup wireless Internet (phone or dedicated hot spot as needed).&nbsp; ethernet1/2 is connected to an old Linksys router running DD-WRT and it automatically connects to my hotspot when I turn it on.&nbsp; Otherwise, there is no Internet access via ethernet1/2.</P> <P>&nbsp;</P> <P>I have a PBF rule configured with an egress interface of ethernet1/2, a next hop of 192.168.2.1, and a monitor configured for 8.8.4.4.&nbsp; Obviously 8.8.4.4 is pingable from any internal network client as it is using ethernet1/1 for Internet access.&nbsp; However, running <STRONG>show pdf rule all</STRONG> shows the PBF rule state as Disabled instead of Active.</P> <P>&nbsp;</P> <P>The only documentation I can find on Path monitoring for PBF is:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-based-forwarding/pbf/path-monitoring-for-pbf" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-based-forwarding/pbf/path-monitoring-for-pbf</A></P> <P>&nbsp;</P> <P>It does not say that the monitor doesn't follow routing rules and instead forces out the egress interface.&nbsp; It also doesn't say anything about the next hop being used.&nbsp; I'm presuming at this point that the egress interface and/or next hop configuration on the Forwarding tab of the PBF rule play a role in how the monitor operates, but I would like to find some official documentation that can support the theory, especially if the theory is wrong and this is working by accident or some other function.</P> <P>&nbsp;</P> <P>Bottom line: Why is this working?</P> Sat, 20 Jan 2024 17:35:02 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pbf-rule-monitoring-forced-egress-i-f/m-p/573791#M2489 jhossbach 2024-01-20T17:35:02Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pbf-rule-monitoring-forced-egress-i-f/m-p/573809#M2491 <P>Rule state "Disabled" means that monitoring took PBF down.</P> <P>&nbsp;</P> <P>To troubleshoot:</P> <P>Uncheck "Disable this rule if nexthop/monitor ip is unreachable" to force PBF to be active.<BR />Generate some traffic that matches PBF.<BR />Go to Monitor &gt; Traffic and check logs.<BR />Did traffic flow work?<BR />Did you get any replies from ethernet1/2?<BR />Do you have source nat policy configured for traffic exiting ethernet1/2 interface?</P> <P>&nbsp;</P> <P>When you get traffic working then you can re-check "Disable this rule if nexthop/monitor ip is unreachable" checkbox to enable PBF rule monitoring.</P> Sun, 21 Jan 2024 13:38:37 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pbf-rule-monitoring-forced-egress-i-f/m-p/573809#M2491 Raido_Rattameister 2024-01-21T13:38:37Z