topic Re: PBF Monitor Target in General Topics

PBF Monitor Target

TomMeadows — Thu, 06 Feb 2020 15:22:55 GMT

Scenario is dual-ISP scenario using PBF to connect via primary ISP but switch to secondary if primary goes down.

In a Policy Based Forwarding rule in the Monitor section of the Forwarding tab, there are 2 checkboxes: one for Monitoring itself, and the second one labelled "Disable this rule if nexthop/monitor ip is unreachable".

Firstly, what is the point of the 2nd "Disable this rule" checkbox? Why would someone leave it unchecked? If we are monitoring connectivity to an external address, and we can't reach it over the egress interface, would we not always want the PBF rule to disable? What scenario would we not want to do this?

Secondly, if a monitor IP address is added, does the Palo Alto just check connectivity to that address, or also to the next-hop as well? The checkbox label says "disable this rule if nexthop/monitor is unreachable" which is unclear to me.

Re: PBF Monitor Target

SutareMayur — Thu, 06 Feb 2020 16:18:22 GMT

hey,

PBF rule is not applied when the monitoring host is unreachable. If no IP address is specified for monitoring, then the next hop IP is monitored. When a PBF rule is configured with monitoring enabled, the egress interface send keepalives to monitoring IP or next hop.

Re: PBF Monitor Target

OtakarKlier — Thu, 06 Feb 2020 22:33:55 GMT

Hello,

So you asked two questions. I'll try and be brief on both:

I really dont have an answer for this. There could be a use case, but cant think of one at the moment.
It will only monitor the IP you specifiy, regardless if its next hop or further down the line.

Hope that helps.

Re: PBF Monitor Target

srogatnev — Fri, 14 Feb 2020 03:33:54 GMT

In dual-ISP scenario without running BGP, I always advise to a customer to add host-based static route to ISP serial IP. This way, no matter what platform/feature/check-box is used, my monitor packet would reach next hop via right egress interface.

Re: PBF Monitor Target

WafikMaher — Wed, 09 Jun 2021 07:57:10 GMT

Hi Tom,
For the first point, if you the objective of the monitoring is to fallback then the Disable option should be checked. However if there is no alternative path, and the objectective is just to detect path failure, then the Disable option should not be checked.

For the second point if there is no monitor "IP Address", it will monitor on the "Next Hop". However if there is monitor IP address it will monitor on it instead of the Next Hop. No need to monitor the next hop separetly as it will be used on the way to the "IP Address" anyways.
Hope this make sense.

Re: PBF Monitor Target

stefan.tomasevic — Thu, 26 Sep 2024 11:46:23 GMT

PBF rule is not applied when the monitoring host is unreachable

@SutareMayur wrote:

hey,

PBF rule is not applied when the monitoring host is unreachable. If no IP address is specified for monitoring, then the next hop IP is monitored. When a PBF rule is configured with monitoring enabled, the egress interface send keepalives to monitoring IP or next hop.

Does this mean that next rule will be applied (if there is a matching criteria) if first one is unreachable?