topic Re: PBF is working, but I want to exclude GP in General Topics

PBF is working, but I want to exclude GP

Joukevanduijsen — Mon, 14 Jan 2019 09:01:29 GMT

Hello everyone,

New here and fighting with my new PA-820.

I have 2 ISP's and I want to make the best use possible of those two.

So I created a PBF which reroutes HTTP and HTTPS traffic over the 2nd modem.

Now I have speeds over 350mbit/s for clients and not bothering other important server data which I have only 40mbit/s for.

So this is all working fine! Until I use GP for VPN.

The HTTP and HTTPS reroute works fine though, but the internal web applications over port 80 and 443 are rerouted aswell.

So every internal webserver will time out. Age out and and is incomplete.

But for example a webserver with a different port (like synology port 5000) will work fine.

Now GP is more important, so i turned off the PBF and everything works now...

But I really want to use our wide bandwith instead of a very narrow one.

I've tried everything from tunnel traffic no-pbf rule to DNAT's to stop GP from using the PBF rule.

But maybe I'm overlooking something...

Can someone point me in the right direction?

Re: PBF is working, but I want to exclude GP

LukeBullimore — Mon, 14 Jan 2019 09:07:11 GMT

Hey @Joukevanduijsen

Can you share a screenshot of your PBF policy when it was at the undesired state?

Thanks,

Luke.

Re: PBF is working, but I want to exclude GP

Joukevanduijsen — Mon, 14 Jan 2019 09:27:52 GMT

Sure! Here it is!

As you can see, i've already tried to Negate the VPN pool, but the GP is also directly hooked to trust-zone.

The last IP you see is monitoring, if this IP is not reachable the PBF rule is deactivated.

Re: PBF is working, but I want to exclude GP

LukeBullimore — Mon, 14 Jan 2019 09:32:09 GMT

Your PBF rule should only really be applied to destination zone Untrust, that way it will only activate for internet facing traffic where NAT via the two ISPs is actually required. Then, when you try to visit some internal server in destination zone Trust or DMZ the PBF policy won't even be applied.

What I have done in the past:

Source Zone: Trust

Source IP: Any

Destination IP: All RFC 1918 addresses (negate option checked)

Destination Zone: Untrust

Re: PBF is working, but I want to exclude GP

Joukevanduijsen — Mon, 14 Jan 2019 09:52:42 GMT

Ahh! Thank you! I'm going to try that now

Re: PBF is working, but I want to exclude GP

Joukevanduijsen — Mon, 14 Jan 2019 15:04:19 GMT

That didn't work... but the session browser told me a critical thing.

The data was not correctly sent back..

So after thinking with two people, we decided to create this:
PBF1 - VPN zone to Trust - any any - No PBF

PBF2 - Trust to VPN IP Pool - any any - No PBF

PBF3 - Trust to Any - Forward Application [Web-Browsing + SSL] to I/F Eth1/1.400, next hop Router Gateway with Monitor

Now everything works as expected!

Thank you for your precious time 🙂

Re: PBF is working, but I want to exclude GP

HamiltonUSD — Thu, 19 Aug 2021 05:04:15 GMT

Thank you, Joukevanduijsen!

I was having this issue as well but due to different circumstances. I have a Appliansys Caching Server. All 80 & 443 traffic is routed to that device via a PBF rule. Everything works great except when I'm connected via GlobalProtect VPN. When I'm connected via GP, I can access any device in my network that uses a port other than 80 & 443. When I disable the PBF rule, everything works fine. I've been working with support on this for two weeks without any progress. Your post solved this for me. I just wanted to reply to thank you and confirm this does work!

Cheers