https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-is-not-working-for-secondary-isp/m-p/519244#M107668 <P>Thanks for your reply.&nbsp;</P> <P>1. The single server doesn't have internet connectivity. It can still talk to the other servers on the LAN but it doesn't have internet connectivity.</P> <P>2. Captures show that ARP requests are incomplete. This could be due to the fact that there is no VR configured for ISP2.</P> <P>&nbsp;</P> <P>&gt;show arp all <BR />ethernet1/10 147.129.178.129 (incomplete) ethernet1/10 i 1</P> <P>&gt;show counter global filter packet-filter yes delta yes severity drop<BR />flow_fwd_l3_noarp 7 0 drop flow forward Packets dropped: no ARP<BR /><BR /></P> Wed, 26 Oct 2022 14:48:04 GMT Anees10 2022-10-26T14:48:04Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-is-not-working-for-secondary-isp/m-p/519167#M107660 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Drawing1.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44880i78E33258E59B4989/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Drawing1.png" alt="Drawing1.png" /></span></P> <P> </P> <P>We recently added a new Internet link to our PA-3020. We want only one server (10.1.12.130) to use it, so we configured the new internet link interface as layer-3 , assigned it a static IP, created a PBF policy that basically specifies the zone (internal) and the source IP (10.1.12.130) and the destination is any (negate 10.0.0.0/8) and the action is to forward traffic to egress IF 1/10 with next hop of 1.1.1.1</P> <P>We also created a NAT rule : From internal zone to external zone, source IF 1/10 and source translation is dynamic-ip-and-port.</P> <P>Finally, we created a security policy to allow traffic from that source to the internet.</P> <P>We have one virtual route for the old ISP. It's my understanding that no VR is required when using PBF as no failover or redundancy is required between the two links.</P> <P>&nbsp;</P> <P>The source server doesn't have internet connectivity. FW's Software Version is 9.1.14-h4. We don't use Panorama to manage it.</P> <P>&nbsp;</P> <P>I found a similar KB for reference :&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRzCAK#:~:text=Policy%20based%20forwarding%20allows%20you,to%20tweak%20the%20routing%20table" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRzCAK#:~:text=Policy%20based%20forwarding%20allows%20you,to%20tweak%20the%20routing%20table</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I spent countless hours with PA engineers and they confirmed that the setup looks good, but for some reason they couldn't figure out why this setup is not working.</P> <P>any thoughts? Thanks in advance.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anees10_0-1666768952880.png" style="width: 781px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44881iFAF597FCD8CB5651/image-dimensions/781x41/is-moderation-mode/true?v=v2" width="781" height="41" role="button" title="Anees10_0-1666768952880.png" alt="Anees10_0-1666768952880.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anees10_3-1666769066909.png" style="width: 794px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44884iC58728A8FCDFAAAB/image-dimensions/794x66/is-moderation-mode/true?v=v2" width="794" height="66" role="button" title="Anees10_3-1666769066909.png" alt="Anees10_3-1666769066909.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anees10_5-1666769175304.png" style="width: 887px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44886i9C47E15497C378A3/image-dimensions/887x54/is-moderation-mode/true?v=v2" width="887" height="54" role="button" title="Anees10_5-1666769175304.png" alt="Anees10_5-1666769175304.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anees10_6-1666769225950.png" style="width: 858px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44887iA3FBF0A53F20B287/image-dimensions/858x172/is-moderation-mode/true?v=v2" width="858" height="172" role="button" title="Anees10_6-1666769225950.png" alt="Anees10_6-1666769225950.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 26 Oct 2022 07:33:43 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-is-not-working-for-secondary-isp/m-p/519167#M107660 Anees10 2022-10-26T07:33:43Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-is-not-working-for-secondary-isp/m-p/519243#M107667 <P>Does the traffic from the single server egress out ISP 1 even with the PBF in place?&nbsp;</P> <P>Do the logs show anything interesting with rule hits, allow/deny, etc?</P> <P>Any packet captures on any interfaces to track where the traffic is going?</P> Wed, 26 Oct 2022 14:33:40 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-is-not-working-for-secondary-isp/m-p/519243#M107667 rmfalconer 2022-10-26T14:33:40Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-is-not-working-for-secondary-isp/m-p/519244#M107668 <P>Thanks for your reply.&nbsp;</P> <P>1. The single server doesn't have internet connectivity. It can still talk to the other servers on the LAN but it doesn't have internet connectivity.</P> <P>2. Captures show that ARP requests are incomplete. This could be due to the fact that there is no VR configured for ISP2.</P> <P>&nbsp;</P> <P>&gt;show arp all <BR />ethernet1/10 147.129.178.129 (incomplete) ethernet1/10 i 1</P> <P>&gt;show counter global filter packet-filter yes delta yes severity drop<BR />flow_fwd_l3_noarp 7 0 drop flow forward Packets dropped: no ARP<BR /><BR /></P> Wed, 26 Oct 2022 14:48:04 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-is-not-working-for-secondary-isp/m-p/519244#M107668 Anees10 2022-10-26T14:48:04Z