topic Re: Policy Based Forwarding vs Security Rules in General Topics

Policy Based Forwarding vs Security Rules

psharma — Thu, 22 Jun 2017 17:53:02 GMT

Hello,

I am not quite sure about the difference between rules created under 'Policy based forwarding' and 'Security' under Policies tab.

Could someone please help understand how are the rules different that are created under security and Policy based forwarding?

Thanks,

Re: Policy Based Forwarding vs Security Rules

Raido_Rattameister — Thu, 22 Jun 2017 18:44:18 GMT

PBF rules are checked before routing table and if any match then routing table is skipped.

So Security policies are to permit or deny traffic and PBF rules are used to decide where traffic should go to.

Re: Policy Based Forwarding vs Security Rules

psharma — Thu, 22 Jun 2017 19:06:32 GMT

ok, now i understand the difference between PBF and security rues but what is the need for PBF?

Is the Forwarding table alone not sufficient enough?

Basically, why do we need PBF if we already have routing tables?

Thanks,

Re: Policy Based Forwarding vs Security Rules

jvalentine — Thu, 22 Jun 2017 19:30:56 GMT

Routing is based on "destination". To get to y.y.y.y send to next-hop z.z.z.z

Policy-based Forwarding adds Source IP address to the routing decision. This allows you to make routing decisions based on where the traffic is coming from - not just based on the destination.

One example:

PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"

Routing: "Send all corporate traffic through the expensive MPLS circuit"

Another example:

PBF Rule 1: "Forward half of my users via ISP1"

PBF Rule 2: "Forward the other half of my users via ISP2"

PBF Rule 3: "Forward all users via ISP1" (in case ISP2 is down)

PBF Rule 4: "Forward all users via ISP2" (in case ISP1 is down)

Re: Policy Based Forwarding vs Security Rules

BPry — Thu, 22 Jun 2017 20:41:13 GMT

@psharma,

There are quite a few use cases for PBF that would dictate that certain traffic is sent to a certain destination. PBF lets you specify an application, which wouldn't be possible if you are using just the routing table.

Re: Policy Based Forwarding vs Security Rules

psharma — Thu, 22 Jun 2017 20:55:02 GMT

from this example:

One example:

PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"

Routing: "Send all corporate traffic through the expensive MPLS circuit"

I do not feel any real difference between PBF and routing from the example above.

But, i do understand that PBF is used when you are deciding where to route based on the source and not on the destination as we typically do in routing.

However, in your example, it looks like you are deciding based on source for both. then how come the corporate one will be taken as routing and not PBF?

Re: Policy Based Forwarding vs Security Rules

jvalentine — Thu, 22 Jun 2017 21:01:26 GMT

In the first example, "forward guest wireless traffic" is a single PBF rule, where the 2nd rule (send everything else via MPLS) happens in the virtual router / default route. I'll tweak the example to be a little more clear:

PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"

Routing: "Send all traffic through the default route (MPLS circuit)"

My mistake for saying "all corporate traffic" - I meant "all traffic" that didn't match the PBF rule. Hope that clears it up.

Re: Policy Based Forwarding vs Security Rules

jvalentine — Thu, 22 Jun 2017 21:08:15 GMT

@BPry wrote:
PBF lets you specify an application, which wouldn't be possible if you are using just the routing table.

Using Application for match criteria in a Policy-Based Forwarding policy is not recommended. Palo Alto Networks recommends using a service object instead, if possible. Not to say that Application-based PBF doesn't work, but there are a handful of caveats to be aware of:

- https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_13619

That being said, the example is helpful as it's a great difference between PBF and Routing.

Re: Policy Based Forwarding vs Security Rules

BPry — Thu, 22 Jun 2017 21:08:17 GMT

@psharma,

You would use routing because it would state something along the lines of all traffic should go out the MPLS circut; then with PBF you specify with guest wireless traffic goes out the ISP gear.

Further example would be if I had a route that stated 10.191.0.0/16 needs to go to a specific circuit.

Say that I have my GIS users on 10.191.80.0/25 and for a undetermined amount of time I need to route them through a different circuit do to a potential litigation hold (sigh); I would find that easier to do with a PBF which is easy to create and remove on the fly rather than messing around with my routing table and breaking subnets out of my 10.191.0.0/16 range.

Re: Policy Based Forwarding vs Security Rules

BPry — Thu, 22 Jun 2017 21:09:35 GMT

@jvalentine,

That's why I put it in; missing the first hand-full of packets until you actually get identified can be a pain, but thankfully we now have that awesome application cache so it's less of an issue 😉

Re: Policy Based Forwarding vs Security Rules

psharma — Fri, 23 Jun 2017 14:25:42 GMT

@jvalentine

Thank you for beautifully explaining it.

Appreciate it. Now i have good understanding of the basic differences.

Cheers,

Re: Policy Based Forwarding vs Security Rules

psharma — Fri, 23 Jun 2017 14:27:06 GMT

@BPry

Thank you!
Your explanation helped me understand it better.

Cheers,