https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133230#M47182 <P>Both firewalls are on the same LAN, the default gateway of the LAN clients is the first firewall. Thanks.</P> Fri, 16 Dec 2016 11:37:55 GMT Jordan_Roebuck 2016-12-16T11:37:55Z https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133219#M47178 <P>Hi all. We have two Palo 3020s, each connected to a different ISP. At the moment the 1st firewall handles all our LAN internet based traffic, whereas the second firewall is mainly used for our VPN connections. We're looking at forwarding streaming traffic from the 1st firewall to the second firewall, to reduce the bandwidth usage on our primary ISP connection. I've been looking into configuring Policy Based Forwarding to achieve this, but most examples I see of this only use one firewall connected to multiple ISP connections. We're unable to connect our first firewall to the secondary ISP connection. Looking for advice on how I can forward this traffic through a seconadry Palo.</P> Fri, 16 Dec 2016 10:42:13 GMT https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133219#M47178 Jordan_Roebuck 2016-12-16T10:42:13Z https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133226#M47179 <P>Hi,</P><P>&nbsp;</P><P>Are these firewall on the same LAN but got two different ISPs connections? What is the default gateway for your LAN clients?</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Fri, 16 Dec 2016 13:44:44 GMT https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133226#M47179 TranceforLife 2016-12-16T13:44:44Z https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133230#M47182 <P>Both firewalls are on the same LAN, the default gateway of the LAN clients is the first firewall. Thanks.</P> Fri, 16 Dec 2016 11:37:55 GMT https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133230#M47182 Jordan_Roebuck 2016-12-16T11:37:55Z https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133234#M47184 <P>Hi,</P><P>&nbsp;</P><P>Thanks for the confirmation. Havent done much &nbsp;of PBF but l think you can specify in the policy for the specific traffic to be fowarded to the 2nd firewall, &nbsp;then that firewall will use its ISP connection to get out.</P><P>Second option would be&nbsp;to have a router/Layer 3 device as DG and do PBF there so it will deside which traffic to send where (1st or 2nd FW)</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P><P>&nbsp;</P> Fri, 16 Dec 2016 13:45:12 GMT https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133234#M47184 TranceforLife 2016-12-16T13:45:12Z https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133235#M47185 <P>PBF will work just fine if you consider for each firewall the 'other firewall' is an ISP instead of 'your firewall'</P> <P>&nbsp;</P> <P>eg. on firewall 1 you'd need to set up pbf routing as if firewall 2 is the second ISP</P> <P>&nbsp;</P> <P>could you include your topology, this may help get the creative juices flowing also <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 16 Dec 2016 12:36:51 GMT https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133235#M47185 reaper 2016-12-16T12:36:51Z https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133261#M47189 <P>&nbsp;</P><P>See below for a crude diagram of the topolgy</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PBF.jpg" style="width: 763px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6939iC38B05F18500EBB8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PBF.jpg" alt="PBF.jpg" /></span></P><P>&nbsp;</P><P>As a test I configured policy based forwarding on P1 with source as the inside traffic (1/2) with 1/6 as the egress interface and 192.168.255.254 as the next hop, I also enforced symetric return. This doesn't work as the traffic still leaves 1/1 (ISP1) on the first Palo.</P> Fri, 16 Dec 2016 14:12:24 GMT https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133261#M47189 Jordan_Roebuck 2016-12-16T14:12:24Z https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133264#M47190 <P>Hi,</P><P>&nbsp;</P><P>Thx for the diagramm. Did you try to allow any traffic? Just test with any as a destination. &nbsp;Can you post screen shots of the PBF?</P><P>&nbsp;</P><P>Myky</P> Fri, 16 Dec 2016 14:29:39 GMT https://live.paloaltonetworks.com/t5/general-topics/forwarding-streaming-traffic-to-a-second-palo/m-p/133264#M47190 TranceforLife 2016-12-16T14:29:39Z