topic Re: PBFand Default route in General Topics

PBFand Default route

Venuprasad — Wed, 15 Jun 2016 12:16:46 GMT

In our orginazation, we have dual ISP and PAN firewalls. We have configured PBF with ISP 1 and default route for ISP 2

Both ISP interfaces on Pan firewall is same zone called untrust

example : ethernet 1/11

ethernet 1/11.200 ----- 192.168.1.1/30 - untrust

ethernet 1/11.250 ------172.16.10.1/30 - untrust

When primary ISP goes down, the traffic is not taking default route. if we configure another zone like untrust1 to second ISP

when the PBF fails, traffic will take default route, Is something we need configure here if the both the ISP's are in same zone

Re: PBFand Default route

reaper — Tue, 28 Jun 2016 07:48:44 GMT

outbound traffic may be hitting an incorrect NAT rule as the zones are identical, what is the output of "show session id <id>" of a failing session the moment the default route should be used? is the egress interface correct, is the source NAT accurate,...

Re: PBFand Default route

Roby_Sreejith — Tue, 28 Jun 2016 08:26:14 GMT

In PBF have you configured monitoring option ( like 8.8.8.8) this wll give info to firewall that ISP 1 is down use routing table

Re: PBFand Default route

ShannonRowe — Tue, 28 Jun 2016 21:22:44 GMT

Yes as per Roby's comment you need the monitor or PAN will still execute the PBF policy as it does not know your ISP 1 is down.

You could easily test this by putting in a single (test) source IP in the PBF and set a monitor which does not respond, then do a traceroute from the source IP. You should see the route go via ISP2.