topic Re: Useless PBF warning in General Topics

Useless PBF warning

TheRealDiz — Thu, 23 Mar 2017 10:20:31 GMT

Hi All,

That's not an issue.. I just want to share with you this thought

Starting from the fact that the egress interface is NOT a matching criteria.. But I have to configure around 80 VPN tunnel (with their own backup tunnel using pbf option "disable if unreachable") .. so it means I will have 80 warnings.. :,(

It should be useful to put egress interface in PBF policies as a matching criteria?

What is it your opinion?

Regards

D!Z

Re: Useless PBF warning

ansharma — Fri, 24 Mar 2017 05:51:52 GMT

Hi TheRealDiz,

It's not possible to put the egress interface as a condition, as the PBF is itself responsible for determining the egress interface (the result cannot be a condition).

In Palo Alto, either the PBF or the Routing table determines the egress interface.

In your screenshot I can guess rule 7 is shadowing 8, 3 is shadowing 4. Reason is that the conditions are identical for 3/4 and 7/8. Moreover, rule 8 and rule 4 might not actually trigger if you don't choose the monitor profile correctly or check the box for 'Disable this rule if the next hop/monitor IP is unavailable'.

Nothing can be done about the warnings. By the way, how many paths can a single tunnel take? If it's just 2, usually you'd put the main path in the PBF and a backup path in the VR. Do you have 3 paths, 2 via PBF and 1 via VR? If it's 2, configure the backup path in the VR (static route = next hop is backup tunnel interface (no IP req'd)). And, in your PBF choose a monitor profile with the Action - Fail over and uncheck the box for 'Disable this rule if the next hop/monitor IP is unavailable'.

Regards,

Anurag

Re: Useless PBF warning

Elmer_Potts — Thu, 14 Nov 2019 21:24:06 GMT

I've had the same issue, and I resolved it by adding a "dummy" zone to the shadowed PBF rule, as shown below: