topic PBF Rules being ignored in General Topics

PBF Rules being ignored

rmcrae — Thu, 11 Aug 2022 17:01:34 GMT

I have setup several PBFs to force traffic to use a specific egress interface for monitoring that particular path. I then setup a ping monitor on one of the servers, Source Address 192.168.200.15, to ping several different Destination Addresses (DA). The SA is the same for each 'monitor' but the DA is different. The PBF is then setup to forward this traffic based on the source and destination addresses to the interface I want to monitor.

The rules look something like this:
Rule1. PBF_Egress-1 SA:192.168.200.15 DA:4.2.2.1 Action:Forward Egress-I/F:Eth1/1 Next Hop:192.168.0.1

Rule2. PBF_Egress-2 SA:192.168.200.15 DA:4.2.2.2 Action:Forward Egress-I/F:Eth1/2 Next Hop:192.168.1.1

Rule3. PBF_Egress-3 SA:192.168.200.15 DA:4.2.2.3 Action:Forward Egress-I/F:Eth1/3 Next Hop:192.168.2.1

Rule4. PBF_Egress-4 SA:192.168.200.15 DA:4.2.2.4 Action:Forward Egress-I/F:Eth1/4 Next Hop:192.168.3.1

Rule5. PBF_Egress-Block SA:192.168.200.15 DA:<all of the above DAs> Action:discard

Rule 5 is in place to make sure that if the traffic gets past those monitor PBF rules 1-4 it is discarded so that it can't use the default routes. I just setup a new rule and the interface is still not active so I would expect that the traffic to not be forwarded because it should still be handled by the new rule, rule 4 or at the very least rule 5, but even though the route is not yet valid but it seems to be making it past all of these rules to the default route rule and getting forwarded. When I verify the traffic via Trace Route from the above SA to 4.2.2.4 I can see that the new traffic is bouncing around the other interfaces and that tells me it's making it to the default routing rules that are a load balanced SD-WAN interface. Those default routing rules are much lower in the stack.

Anyone have any ideas why this is happening and how to make sure the PBF rules are honored?

Re: PBF Rules being ignored

OtakarKlier — Fri, 12 Aug 2022 18:51:01 GMT

Hello,

PBF policies take effect prior to the default router so they are honored first. I say take a look at the traffic logs and make sure the PBF policies match what the traffic logs are seeing, i.e. source/dest/zones/ etc.

Regards,

Re: PBF Rules being ignored

rmcrae — Fri, 12 Aug 2022 22:20:30 GMT

This problem still exists. I even checked the PBF with the Test Policy Match and according to the test results it is working as expected but when I run a trace route traffic is still passing from the server to the DA that should not be reachable since that path is down. So I can't explain what is causing this and before I turn up that path I'd like to understand what's happening. I've compared the rules to each other and all of the options are the same. The only differences are the DA, Egress Interface, and Next Hop.

I should also mention that Rule 5 is only a safety net rule. As long as that rule has been in place it has never received any hits under the Hit Counter. I realize that it's not really needed but at the same time it's not hurting anything either.

Re: PBF Rules being ignored

rmcrae — Tue, 16 Jan 2024 05:52:36 GMT

Still have this issue. PBFs are not honored. I might have to open a case for this.