https://live.paloaltonetworks.com/t5/general-topics/how-can-i-create-a-pbf-rule-to-send-traffic-to-a-http-https/m-p/559236#M113420 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/216380">@ptingalls</a> ,</P> <P>&nbsp;</P> <P>Yes, the proxy has to be on the same subnet as the interface.&nbsp; The NGFW will not change the IP header of the original packet.&nbsp; So, it cannot be routed over the network.&nbsp; It must be forwarded to the proxy MAC address.</P> <P>&nbsp;</P> <P>One way to get around that limitation is with a GRE tunnel if the web proxy supports it.&nbsp; Here is a doc for PBF with GRE for Netskope.&nbsp; <A href="https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/netskope-gre-with-palo-alto-networks-ngfw/palo-alto-networks-ngfw-configuration/" target="_blank">https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/netskope-gre-with-palo-alto-networks-ngfw/palo-alto-networks-ngfw-configuration/</A></P> <P>&nbsp;</P> <P>If the web proxy does not support GRE, then you will need to extend the VLAN to the NGFW.&nbsp; I could be wrong, but I think those are your only 2 options.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sun, 24 Sep 2023 01:09:03 GMT TomYoung 2023-09-24T01:09:03Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-create-a-pbf-rule-to-send-traffic-to-a-http-https/m-p/559235#M113419 <P>when i'm trying to set up the rule, where the next hop is the IP of the proxy - i get an error that this IP "does not match subnets defined on the PBF interface" - which is correct, it's on different subnet. What are my options? Do i have to have the proxy on the same subnet as the interface?</P> Sat, 23 Sep 2023 18:36:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-create-a-pbf-rule-to-send-traffic-to-a-http-https/m-p/559235#M113419 ptingalls 2023-09-23T18:36:32Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-create-a-pbf-rule-to-send-traffic-to-a-http-https/m-p/559236#M113420 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/216380">@ptingalls</a> ,</P> <P>&nbsp;</P> <P>Yes, the proxy has to be on the same subnet as the interface.&nbsp; The NGFW will not change the IP header of the original packet.&nbsp; So, it cannot be routed over the network.&nbsp; It must be forwarded to the proxy MAC address.</P> <P>&nbsp;</P> <P>One way to get around that limitation is with a GRE tunnel if the web proxy supports it.&nbsp; Here is a doc for PBF with GRE for Netskope.&nbsp; <A href="https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/netskope-gre-with-palo-alto-networks-ngfw/palo-alto-networks-ngfw-configuration/" target="_blank">https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/netskope-gre-with-palo-alto-networks-ngfw/palo-alto-networks-ngfw-configuration/</A></P> <P>&nbsp;</P> <P>If the web proxy does not support GRE, then you will need to extend the VLAN to the NGFW.&nbsp; I could be wrong, but I think those are your only 2 options.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sun, 24 Sep 2023 01:09:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-create-a-pbf-rule-to-send-traffic-to-a-http-https/m-p/559236#M113420 TomYoung 2023-09-24T01:09:03Z