https://live.paloaltonetworks.com/t5/general-topics/dual-isp-pbf-traffic-not-returning/m-p/310840#M80489 <P>I have two ISPs configured with path monitoring and I can successfully monitor the primary route and fail over to the secondary, however what I would like to do now is use PBF to always send some of my traffic out the secondary ISP.&nbsp; Everything I've read says this is possible and should be fairly straight-forward but I just can't seem to get it to work.&nbsp; I have a test PBF policy set up for all traffic from a single client and the policy appears to be working, hit counts increase and my traffic detail shows that the correct interface and NAT policy is being applied however I don't get any packets back.&nbsp; I've torn down and rebuilt the rules a couple times now so it's possible I've become blind to a simple missed setting.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NAT.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23925i55D748699A7A01C0/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="NAT.jpg" alt="NAT.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PBF.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23926i9A19AF97029FA302/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PBF.jpg" alt="PBF.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Traffic.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23927i67945B700A6FC2C2/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Traffic.jpg" alt="Traffic.jpg" /></span></P><P>&nbsp;</P><P>Again if I simply fail the primary route, the secondary route takes over and all traffic flows out so the interface is working as is the outbound NAT and security policies; my problem just seems to be using both interfaces at the same time.&nbsp;&nbsp;</P> Wed, 12 Feb 2020 16:19:10 GMT Cooper80 2020-02-12T16:19:10Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-pbf-traffic-not-returning/m-p/310840#M80489 <P>I have two ISPs configured with path monitoring and I can successfully monitor the primary route and fail over to the secondary, however what I would like to do now is use PBF to always send some of my traffic out the secondary ISP.&nbsp; Everything I've read says this is possible and should be fairly straight-forward but I just can't seem to get it to work.&nbsp; I have a test PBF policy set up for all traffic from a single client and the policy appears to be working, hit counts increase and my traffic detail shows that the correct interface and NAT policy is being applied however I don't get any packets back.&nbsp; I've torn down and rebuilt the rules a couple times now so it's possible I've become blind to a simple missed setting.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NAT.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23925i55D748699A7A01C0/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="NAT.jpg" alt="NAT.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PBF.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23926i9A19AF97029FA302/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PBF.jpg" alt="PBF.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Traffic.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23927i67945B700A6FC2C2/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Traffic.jpg" alt="Traffic.jpg" /></span></P><P>&nbsp;</P><P>Again if I simply fail the primary route, the secondary route takes over and all traffic flows out so the interface is working as is the outbound NAT and security policies; my problem just seems to be using both interfaces at the same time.&nbsp;&nbsp;</P> Wed, 12 Feb 2020 16:19:10 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-pbf-traffic-not-returning/m-p/310840#M80489 Cooper80 2020-02-12T16:19:10Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-pbf-traffic-not-returning/m-p/310915#M80501 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132958">@Cooper80</a>,</P><P>One thing to look at is if you have zone protection enabled and you have the spoofed ip address checked in TCP/IP Drop options under Attack Protection. This in conjunction with PBF will cause the firewall to drop the return traffic as it doesn't align with the route table.&nbsp;</P> Wed, 12 Feb 2020 22:54:33 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-pbf-traffic-not-returning/m-p/310915#M80501 BPry 2020-02-12T22:54:33Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-pbf-traffic-not-returning/m-p/412848#M92885 <P>Thank you very much BPry and Cooper80. You save my time!</P> Sun, 13 Jun 2021 14:02:58 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-pbf-traffic-not-returning/m-p/412848#M92885 LeVietHa 2021-06-13T14:02:58Z