topic ISP ping going out via different interface in Next-Generation Firewall Discussions

ISP ping going out via different interface

ceapen01 — Fri, 20 Jan 2023 06:35:57 GMT

I am facing a very strange issue. Thee are four ISP connected to PA. All are VLAN interfaces.

While doing a ping to 8.8.8.8 or any public IP from the vlan interface IP it works fine except for one ISP.

For one ISP if a ping a initiated from vlan.7 the traffic goes out via vlan.3. attached a screenshot.

Ping is initiated from PA cli - ping source <int ip> host 8.8.8.8

Any idea why ping is going via a different interface?

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: ISP ping going out via different interface

Metgatz — Sat, 21 Jan 2023 05:21:40 GMT

Hello @ceapen01

Hi, check if you have
ECMP that could be balancing the traffic.

Or check if you have any PBF policy that is forcing that traffic flow through that other interface.

Check that by any chance at virtualrouter level is not set an explicit route against that destination.

Another thing the PBF will not manipulate the traffic coming from the FW, that is to say in this case the IP source of vlan 7 that you mention, it will always use the route with the best metric (the one with the lowest metric).

Check if the same thing happens with an end equipment, an endpoint of vlan 7 and you will get better conclusions of the behavior.

Regards

Re: ISP ping going out via different interface

ceapen01 — Sat, 21 Jan 2023 10:45:15 GMT

Thank you

ECMP that could be balancing the traffic.

>>I didn't understand this point

Or check if you have any PBF policy that is forcing that traffic flow through that other interface.
>>No PBF

Check that by any chance at virtualrouter level is not set an explicit route against that destination.
>>As there are four ISP, four default routes exist with different metric

Check if the same thing happens with an end equipment, an endpoint of vlan 7 and you will get better conclusions of the behavior.
>>endpoint of vlan 7 gets internet and ping. No issues.

Re: ISP ping going out via different interface

Raido_Rattameister — Sat, 21 Jan 2023 17:08:15 GMT

As already mentioned PBF will not be applied to traffic sourcing from firewall itself.

If you ping from public IP to next hop then you can expect traffic to go out from same interface (because it stays inside same subnet).

If you ping from public IP to IP on the internet then you must have static route configured towards that public IP.

Otherwise Palo will look at static routes.

If multiple 0.0.0.0/0 routes have same metric (ECMP is enabled) then source interface is chosen based on ECMP settings.

So Palo will not care that you ping from specific vlan IP. Path is chosen based on virtual router configuration.

Re: ISP ping going out via different interface

ceapen01 — Sun, 22 Jan 2023 09:00:41 GMT

there are different static routes to 0.0.0.0 with different metrics. I can see ping to 8.8.8.8 from vlan 7 is now taking the interface with lowest metric (vlan3).

Is there any method such that ping to 8.8.8.8 from vlan 7 interface wd only egress through vlan 7 only.

**furthermore i can this is only happening with vlan 7. If ping from vlan 4 or 5, traffic egress via that interface only.

Re: ISP ping going out via different interface

Raido_Rattameister — Sun, 22 Jan 2023 16:06:44 GMT

No.

Traffic always uses interface with that has lowest metric route.

You need more specific static route towards 8.8.8.8 to send traffic towards 8.8.8.8 out from vlan 7 (if vlan 7 don't have lowest metric) for traffic sourcing from the firewall.

For traffic passing firewall (sourced from workstations/servers) you can use either static route or PBF (PBF is checked first and if no PBF then virtual router is checked for routing decision).