topic Re: PBF for incoming traffic in General Topics

PBF for incoming traffic

MicheleCane — Fri, 11 Aug 2023 15:07:33 GMT

Hello everyone,

I've a setup on a PA-820 cluster with 3 ISP connections.

Every connection has its own zone (for clarity WAN-1, WAN-2 and WAN-3) and the default route in the virtual router is for WAN-2.

I need to publish some services from my DMZ subnet on the WAN-1 but if I try to configure the nat and security policy i can't see any sort of traffic coming from Internet because of asymmetric routing.

The packet is entering from the interface on WAN-1 zone but the response packet is going through the default route to WAN-2.

I try to configure a PBF policy (following this article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK) for the WAN-1 interface with forward to egress interface of DMZ and force return to WAN-1 isp router but is not working at all.

In the traffic monitor I can't see nothing and if I make a packet capture on the interface I see a lot of tcp retransmissions.

Any idea to solve the problem and to configure the pbf correctly?

Regards

Michele

Re: PBF for incoming traffic

TomYoung — Fri, 11 Aug 2023 19:26:53 GMT

Hi @MicheleCane ,

If you enabled ECMP with Symmetric Return traffic coming in a WAN interface will go out the same interface. If you want all traffic to continue to go out WAN-2, then you could use a Method of Weighted Round Robin with WAN-2 configured for 100 and WAN-1 and WAN-3 configured for 0. You will need to add default routes for WAN-1 and WAN-3, but the WRR should force all outbound traffic out WAN-2. I have NOT tested this in a lab.

Thanks,

Tom

Re: PBF for incoming traffic

Basavaraj_Ningappa — Sat, 12 Aug 2023 11:56:57 GMT

Hi Michele,

Did you find the solution to you're issue?

Regards

Re: PBF for incoming traffic

MicheleCane — Sun, 13 Aug 2023 13:42:49 GMT

Not yet, I try to find a solution using pbf because it's a production environment and I'm a little scary of making changes in the virtual router

Re: PBF for incoming traffic

Basavaraj_Ningappa — Sun, 13 Aug 2023 17:24:27 GMT

Hi Michele,

what I was thinking is configuring the nat with bidirectional, so whatever the service your publishing using wan 1 or 2 for those NATs you can enable bidirectional, so that they follow same session on which interface traffic is arriving

just a thought.

Regards

Re: PBF for incoming traffic

TomYoung — Mon, 14 Aug 2023 20:44:39 GMT

Hi @MicheleCane ,

For those services on DMZ that you want to publish on WAN-1, do you want all traffic from those DMZ servers to egress WAN-1? If so, create a simple PBF rule that forwards all traffic from that source IP to the WAN-1 next hop.

Thanks,

Tom

Re: PBF for incoming traffic

MicheleCane — Wed, 16 Aug 2023 08:26:50 GMT

Hi everyone,

finally I found the resolution to my problem.

I find out that on my zones WAN-1,WAN-2,WAN-3 there was a zone protection policy and the option "IP Spoofed Address" was enabled.

I create a new zone protection specific for the WAN-1 zone disabling the mentioned option and suddenly everything starts working as expected.

I already have a PBF for outgoing traffic from the DMZ to the WAN-1 for returning traffic as suggested by Tom.

Thanks to everyone

Michele