topic Re: PBF Dual ISP, inbound NAT broke with spoofing protection enabled in General Topics

PBF Dual ISP, inbound NAT broke with spoofing protection enabled

drewdown — Mon, 20 Sep 2021 13:13:07 GMT

Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured.

When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but that made no difference. In the end I had to disable 'Spoofed IP address' from the outside zone protection profile to get it working again.

Does anyone know why you can't have PBF, inbound NAT's and spoof protection enabled?

Re: PBF Dual ISP, inbound NAT broke with spoofing protection enabled

upelister — Tue, 21 Sep 2021 08:35:23 GMT

Hello,

Have you tried enforce symetric return option from pbf policy Forwarding section.

*Another idea, assign nat ip to a loopback interface than use it for nat.

Re: PBF Dual ISP, inbound NAT broke with spoofing protection enabled

drewdown — Wed, 22 Sep 2021 19:15:39 GMT

Do you mean enforce it on the PBF for the dual internet links? PAN documentation is so bad and confusing I am not even sure who they got managing it, a trained monkey?

Re: PBF Dual ISP, inbound NAT broke with spoofing protection enabled

TomYoung — Wed, 22 Sep 2021 19:40:04 GMT

Hi @drewdown ,

Could you tell me why you are using PBF? Most dual ISP designs can be handled by routing.

Thanks,

Tom

Re: PBF Dual ISP, inbound NAT broke with spoofing protection enabled

drewdown — Thu, 23 Sep 2021 16:28:36 GMT

Pray tell how its handled by routing without running BGP between our multitude of carriers? And what is PBF if not routing?

Besides here is one of many PA articles outlining how to configure DUAL ISPs with failover using PBF: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps

Re: PBF Dual ISP, inbound NAT broke with spoofing protection enabled

TomYoung — Thu, 23 Sep 2021 16:55:13 GMT

Hi @drewdown ,

Ahh! I see. You are using PBF because the article which you posted said to use it. My bad. I use this method with my customers -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO. It works well. It uses route metrics for forwarding and not PBF. It's more straightforward. I am curious if removing PBF may remove the NAT issue.

While PBF is policy routing, I prefer a route table lookup. That's what I meant by routing. The nice thing about using the route table is that you can also use both ISPs if you want. You would need to enable ECMP in your VR. I would check the Symmetric Return box. I had one customer where load balancing broke voice, but changing the ECMP method to IP Hash fixed the issue.

With regard to path monitoring, I like to use 2 Internet IP addresses so that one down host doesn't take down the circuit. I ran into one customer (not my setup) that was monitoring 8.8.8.8 for HA path monitoring, and the host went down causing a firewall failover!

Thanks,

Tom

Re: PBF Dual ISP, inbound NAT broke with spoofing protection enabled

drewdown — Thu, 23 Sep 2021 17:01:09 GMT

Hell yeah brother! Another PA article yet giving another way to skin a cat. I will take a look and see if it works better because I absolutely hate PBF with a passion and all the nuances (breaking) that comes along with it.

I guess this just goes back to PA articles and so many offering so many different solutions. I mean I do it one way and you do it a completely different way but if I google PA dual ISPs the first link is using PBF. Also PBF monitors the link as well to an external IP it just requires that you have all the networks defined that you want to be applied to that PBF. It then breaks inbound NAT as you can see and causes issue with VPN traffic hairpinning to the internet and to other VPN tunnels.