topic Re: Monitoring SD-WAN Tunnel-IF via ping in Next-Generation Firewall Discussions

Monitoring SD-WAN Tunnel-IF via ping

D.Henze — Mon, 11 Nov 2024 14:52:33 GMT

Hi Guys,

We're looking to connect multiple Palo Alto devices to our core Palo Alto via SD-WAN. In some cases, we have three internet connections at the customer site, each connected through a different ISP.

Our goal is to monitor each tunnel by pinging the destination tunnel interface IP address from our Monitoring Tool throught our Core Palo Alto and displaying the results in our monitoring tool. Unfortunately, this doesn’t work because the core Palo Alto doesn’t have the destination IP address in its routing table.

However, if we ping directly from the core Palo Alto using the source IP address of the corresponding tunnel interface, the ping works.

Does anyone have an explanation for this?

I know, the Panorama is monitoring the sd-wan connections too 🙂

Thanks and best regards,
Dirk

Re: Monitoring SD-WAN Tunnel-IF via ping

jpomachagua — Mon, 18 Nov 2024 21:25:06 GMT

Hello @D.Henze

Based on the images you provided, I have observed the following behavior:

You are able to successfully ping the IP on the destination tunnel because you are using an IP within the same zone. Both IPs, as shown in the images, belong to the "zone-to-branch" zone and share the same network.
However, when you attempt to ping with the IP 10.1.0.X, it appears that this IP belongs to a different zone and does not have a route to reach 172.17.5.204. As a result, the traffic is being sent through the untrust zone.

Considering these findings, it seems to be a networking issue. I recommend trying a PBF (Policy-Based Forwarding) rule that forces the traffic to go through the "zone-to-branch" zone when attempting to reach the IP 172.17.5.204.

Regards

Betreff: Monitoring SD-WAN Tunnel-IF via ping

D.Henze — Wed, 20 Nov 2024 17:16:45 GMT

Hi Jpomachagua,

Thank you very much for your input!

You are absolutely right. I have now configured a PBF rule to route traffic destined for 172.17.5.204 via the tunnel.910 interface. With this setup, I am able to reach the IP address using ping.

17:49:42: Without PBF
17:54:12: With PBF

However, I’ve encountered an problem for me: If I understand correctly, I would need to configure a separate PBF rule for each destination tunnel interface. Additionally, I’m concerned that the IP addresses of the tunnel interfaces might change after a reboot on the hub, or spoke side, which could complicate things further.

Could you clarify what you mean exactly by the following statement?

"Considering these findings, it seems to be a networking issue. I recommend trying a PBF (Policy-Based Forwarding) rule that forces the traffic to go through the 'zone-to-branch' zone when attempting to reach the IP 172.17.5.204."

In the PBF configuration, I can only specify a destination address, application, and service, as well as an egress interface to forward the traffic. There doesn’t seem to be an option to select a destination zone.
Regards

Re: Monitoring SD-WAN Tunnel-IF via ping

D.Henze — Thu, 21 Nov 2024 09:23:09 GMT

Sorry, I had forgotten to add the PBF

Re: Monitoring SD-WAN Tunnel-IF via ping

jpomachagua — Thu, 21 Nov 2024 16:20:12 GMT

Hello @D.Henze

You don't have to set up the zone on the PBF. Once you send the traffic through the right tunnel, it will go through the right zone. In your situation, here's what I suggest:

Set up 3 PBFs, one for each ISP connection, to make sure the traffic to the server goes through the correct tunnel.
Arrange the PBF policies in the order you need, keeping in mind that the policy at the top will be the one that matches the traffic, while the others won't work for this traffic.
Set up path monitoring with the option "Disable this rule if the next hop/monitor IP is unreachable" for the first two PBF policies.

This way, the traffic will go to tunnel 1. If it fails, the traffic will switch to tunnel 2, and if that fails too, then it will go to tunnel 3. Let me know if you have any issues with this setup.

Regards