topic Re: PBR forwarding does not work in General Topics

PBR forwarding does not work

ZEBIT — Mon, 20 Nov 2017 07:59:23 GMT

For the first time I configured a Palo Alto firewall.

I have created three zones each connected with a specific interface:

INTERN

EXTERN

DMZ

For each zone I created a virtuel router each configured with static routes :

Intern:

DMZ -> Interface DMZ

Dmz:

EXTERN -> Interface EXTERN

INTERN -> Interface INTERN

Extern

0.0.0.0 0.0.0.0 -> IP ISP Router

DMZ -> Interface DMZ

I connected PC's on each interface with the correct IP settings. Each PC can ping its own default gateway on the firewall but they can't ping each other. In the policy settings I created a rule that everuthing is allowed between the zones.

What can be the problem?

Re: PBR forwarding does not work

ZEBIT — Mon, 20 Nov 2017 09:29:04 GMT

The routing seems to work better after creating some policies.

But the clients still doesn't respond. In the traffic monitor I always get Session End Reason: aged out.

Re: PBR forwarding does not work

ZEBIT — Mon, 20 Nov 2017 10:07:17 GMT

I need to create a PBF rule that does not PBR the traffic between INTERN and DMZ but I don't understand why.

Re: PBR forwarding does not work

pulukas — Mon, 20 Nov 2017 11:44:30 GMT

With the virtual routers you will need a route in each of the virtual routers to the other VR subnets that need to be reached. so the internal VR needs a default route to external vr for internet access. And a route to the dmz vr for that subnet.

The external vr needs a route to internal subnet via internal vr and to dmz subnet for the dmz vr.

the DMZ vr needs a default route to the external vr for internet access and to the internal subnet via the internal vr.

No PBF is needed just the routes.

Now the traffic you want to allow require security policies to permit the traffic from zone to zone based on who initiates the tcp session.

Finally, you need to create NAT policies also from zone to zone based on tcp initiation for the source nat for internet access and for any inbound DMZ destination nat traffic.

Why are you puting every zone in a virtual router?

None of that routing configuration is needed if all the interfaces are just in the same router to begin with. Generally the only reason to separate virtual routers is if you have dual ISP and need to have two active default routes at the same time so we need two routing tables to accomplish this. Your setup seems pretty standard and would be much simpler in just a single base router setup.

Re: PBR forwarding does not work

reaper — Mon, 20 Nov 2017 13:23:56 GMT

I agree with @pulukas: your configuration would be much simpler if you set all interfaces in the same virtual router, then you'd only need security policies and NAT to make everyhting work

please take a look at this article which may help you on your way: Getting Started: Layer 3, NAT, and DHCP

and this one on PBF: Getting Started: Policy Based Forwarding

Re: PBR forwarding does not work

BPry — Mon, 20 Nov 2017 13:23:57 GMT

@ZEBIT,

I'm just going to second what @pulukas has already stated. From what you've described, there isn't really any reason to have multiple VRs. TO keep your configuration looking a bit more standard I would simply combine all of the zones into one virtual router, if you continue to keep everything the way you are doing you'll run into configuration issues. To add to that a little bit, almost every guide that you read going forward is centered around one Virtual Router configuration, not multiple. Guides may not work for you as you intend, support may not be as able to help you do to your configuration, and most of the Live community is going to just assume you have one VR.

Re: PBR forwarding does not work

ZEBIT — Mon, 20 Nov 2017 15:01:02 GMT

After some searching I got everything to work with my configuration.

But when and why you would use multiple virtual routers and PBR?

As mentioned here it is only necessary if you use multiple ISP.

Re: PBR forwarding does not work

reaper — Mon, 20 Nov 2017 16:41:00 GMT

@ZEBIT

there are a few scenarios: you can use multiple VR if you need to segregate interfaces from eachother: they will not be able to reach eachother unless you add a route to specifically allow it (all interfaces on the same vr can automatically 'route' to eachother)

PBF can be used to make a preferred route on top of normal routing eg. if you have 2 ISP, one leased line and one DSL, you could create a PBF to route non-important web-browsing over the DSL line. If the ISP were to fail, routing would fall back to your static routes and web-browsing would go over the leased line

PBF and multiple VR's don't necessarily need to go hand in hand, the dual ISP solution does not require 2 VRs, but this scenario does:

if you need to set up redundant VPN tunnels, you will need to have 2 static route (eg default gateways) working at the same time so the tunnels can remain 'up'. PBF can then be used to direct traffic to one VR or the other depending on your preferred conditions

hope this makes sense (did you check out the PBF article i provided above ?