topic Re: Policy Based Forwading Capability Question in General Topics

Policy Based Forwading Capability Question

WesNeary — Wed, 04 Nov 2015 16:03:12 GMT

Hello All, Was just wondering if anyone may be able to help with this our question.

Please see the attached High Level Diagram. Both Firewalls are PA 3020's with the full licence set enabled. We need to replace the ISA server which is not providing any other functions than forwarding the traffic down one of the 3 paths in the diagram, unfortunately we need to maintain this capability owing to some historic complexities with certain applications in our infrastructure not working through our proxy or via the cloud proxy or vice versa.

I know the PA can do Policy based forwarding which would suffice for the passage of traffic either via the Local Proxy or directly out via the ISP router. Everything I have read would suggest that the PBF is more of a routing level thing which requires an interface in the same subnet within the PA.

Obviously this is not possible for the cloud hosted proxy, if we were to set the egress interface and just put the next hop address as the cloud proxy would that function. My inclination is that the next hop needs to be exactly that but just looking for confirmation before I buy another solution. Thanks in Advance

Re: Policy Based Forwading Capability Question

OtakarKlier — Thu, 05 Nov 2015 00:07:13 GMT

So the PAN interface doesnt need to be on the same vlan segment, it should just need to have the traffic routed to it. The PBF then should be setup by source and then flow out a destination interface on the PAN. The interface shouldnt need to be on the same segment as long as the way the packets flow out they get sent towards their intended destination.

I dont think I did a good job explaining this. Here is the link to a PBF doc that does a good job explaing it.

https://live.paloaltonetworks.com/t5/Documentation-Articles/Policy-Based-Forwarding/ta-p/54408

Re: Policy Based Forwading Capability Question

WesNeary — Thu, 05 Nov 2015 07:41:27 GMT

Hi Otakar,

Thanks for the reply, i think i may not have explained this fully, we are trying to replace the ISA server whihc at the moment based on policy directs the traffic to the cloud proxy by ammending the packet header and its this function i am wondering whether the PA can reproduce to allow us to remove the ISA.

Re: Policy Based Forwading Capability Question

OtakarKlier — Thu, 05 Nov 2015 18:33:05 GMT

Hello,

I think the answer here is it depends on what the ISA server is currently doing to detect/authorize traffic. The PAN can do somethings but not everything. It would be helpful if you could explain, without give us the keys to the kingdom, what actions/inspections the ISA server is currently performing. I think based on that we could determine if the PAN can replace the ISA.

Regards,

Re: Policy Based Forwading Capability Question

rmonvon — Tue, 10 Nov 2015 20:58:11 GMT

Hi WesNeary...Are your users explicitly proxied (browser set to use proxy server) to the ISA server, and the ISA server is using proxy chaining to connect the cloud service? In other words, the ISA server is configured to use an upstream proxy server = cloud service.

Re: Policy Based Forwading Capability Question

WesNeary — Thu, 12 Nov 2015 09:58:13 GMT

Hi Rmonvon

You are correct clients have the ISA set as there browser proxy this then based on its rulesets forwards the traffic to either our onsite proxy, the upstream proxy or directly to the internet.