PBF policy not working.

debsPal0 — Tue, 14 Jun 2011 14:52:12 GMT

Hi,

I have packets that arrive on interface eth1/10 that I need to be forwarded back out of eth1/10 with a next hop address of another router on that subnet. I have created a pbf rule that I hope would achieve this however it is currently not working. It looks like the following :

==========================================================

Interface eth1/10 IP : 3.3.3.1

Interface eth1/10 Zone : dummy-zone1

Source Zone : dummy-zone1

Source Address : any

User : any

Destination Address : [*NEGATE* : 1.1.1.1] (so I would like the pbr rule to apply to all traffic that does not match the configured address i.e.2.2.2.2)

Application : any

Service : any

Action : forward

Forwarding Egress I/F : eth1/10

Next Hop : 3.3.3.2

No Monitoring

==========================================================

Unfortuanly I am not currently familiar enough with PA to run any extensive debugging. Also, is it possible to apply a pbr policy with an egress interface being the same as the source interface?

I have substituted the real IP addressing with dummy addressing in the example above.

Any comments or suggestions would be appreciated, this is my first post so be gentle 🙂

Regards,

James.

Re: PBF policy not working.

skrall — Wed, 15 Jun 2011 19:24:37 GMT

There is no way to specify traffic that came in on Eth1/10 needs to go out on Eth1/10. PBF is based on zones, IPs, App and Service. If the traffic on on Eth1/10 all comes from a small set of networks, you can just add static routes to direct traffic back out the same interface.

PBFis used to defeat or override the routing table. If this is a 2 ISP scenario and traffic that comes in from ISP1 interface should go out the ISP1 interface you might try usng NAT to manipulate the source IP but this gets complicated quickly. You probably need to test this and open a support call if you get stuck.

Steve Krall

topic Re: PBF policy not working. in General Topics

PBF policy not working.

Re: PBF policy not working.