Does PBF work across different virtual routers?

CMG — Tue, 15 Nov 2016 21:05:13 GMT

i.e Will a PBF rule work if the incoming packet is received on an interface associated with one virtual router, and the rule tells it to go out an interface associated with a different virtual router?

I'm assuming it should.. just wanted to clarify..

Re: Does PBF work across different virtual routers?

DonohoeRobert — Thu, 17 Nov 2016 11:21:19 GMT

Hi CMG,

Yes this works fine assuming the following;

both interfaces part or same zone

asymmetric routing not in play

sec policies allowing same

Run the following commands when testing; {apply filters for the source & dst you are testing with.. so counters relevant }

show counter global filter packet-filter yes delta yes

use the following articles if getting droppped due to asymmetric R

https://live.paloaltonetworks.com/t5/Configuration-Articles/SYN-ACK-Issues-with-Asymmetric-Routing/ta-p/54090

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Issues-with-Asymmetric-Routing/ta-p/65456

run the following cmds to test the pbf rule matches whats expected aswell, replacing IPs as required. Ping protocol number is 1 and what I used for a quick test..

admin@PA-3000> test pbf-policy-match application any from untrust destination 172.25.5.239 protocol 1 source 172.25.4.6

test {
id 1;
from untrust;
source any;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/2;
next-hop 0.0.0.0;
terminal no;
}

best regards

Robert D

topic Re: Does PBF work across different virtual routers? in General Topics

Does PBF work across different virtual routers?

Re: Does PBF work across different virtual routers?