topic Re: Can Policy-based forwarding be used for routing the firewall connection for updates? in General Topics

Can Policy-based forwarding be used for routing the firewall connection for updates?

FrankMurray — Tue, 05 Jan 2021 02:15:43 GMT

We've got a firewall that doesn't have a management interface connection. The default route for the firewall is configured across a tunnel interface. The service route has been been configured to use the outside interface- there's no option to use the tunnel interface.

I'm trying to get Policy-based forwarding working so traffic sourced from the firewall's outside interface has a 0.0.0.0/0 route to the next-hop router. But it's not working- can't get dynamic updates. Can't download software.

Any ideas?

Thanks

Re: Can Policy-based forwarding be used for routing the firewall connection for updates?

SutareMayur — Tue, 05 Jan 2021 06:02:21 GMT

Hi @FrankMurray ,

PBF will not work for the traffic which is originating from PA firewall interfaces. It will get used only for the systems which are behind firewall. So when traffic is originating from the firewall, it will use routing table to check routes for the desired destination.

Hope it helps!

Re: Can Policy-based forwarding be used for routing the firewall connection for updates?

aleksandar.astardzhiev — Tue, 05 Jan 2021 14:55:27 GMT

Hi @FrankMurray ,

This is one of the reason I really hate setup that requires default route pointing to VPN tunnel. I would suggest you do to the following, which unfortunately will require a massive change:

1. Create two separate virtual-rotuers (vr).

2. Assing your outside/public fw interface to vr1 and configure the default route via the public interface

3. Assing your lan/internal fw interface to vr2.

4. Configure your IPsec tunnel to use your public/outside interface for local peer IP, but assing the tunnel interface to vr2

5. Configure the default route for vr2 to the tunnel interface.

This will allow you to have default route for the internal resource pointing to the tunnel, while the fw still have default route pointing to the next-hop via the outside interface. After that is should be enough to set the service route to use the public interface which will take the default route from vr1 of to public internet and not vpn.

Re: Can Policy-based forwarding be used for routing the firewall connection for updates?

Braulio.Pineda — Mon, 30 Jan 2023 03:58:19 GMT

So that's why my lab environment to test 2 ISP connection never worked 😅