PBF is working, but I want to exclude GP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PBF is working, but I want to exclude GP

L1 Bithead

Hello everyone,

 

New here and fighting with my new PA-820.

 

I have 2 ISP's and I want to make the best use possible of those two.

So I created a PBF which reroutes HTTP and HTTPS traffic over the 2nd modem.

Now I have speeds over 350mbit/s for clients and not bothering other important server data which I have only 40mbit/s for.

 

So this is all working fine! Until I use GP for VPN.

The HTTP and HTTPS reroute works fine though, but the internal web applications over port 80 and 443 are rerouted aswell.

So every internal webserver will time out. Age out and and is incomplete.

But for example a webserver with a different port (like synology port 5000) will work fine.

 

Now GP is more important, so i turned off the PBF and everything works now...

But I really want to use our wide bandwith instead of a very narrow one.

 

I've tried everything from tunnel traffic no-pbf rule to DNAT's to stop GP from using the PBF rule.

But maybe I'm overlooking something...

 

Can someone point me in the right direction?

1 accepted solution

Accepted Solutions

That didn't work... but the session browser told me a critical thing.

The data was not correctly sent back..

 

So after thinking with two people, we decided to create this:
PBF1 - VPN zone to Trust - any any - No PBF

PBF2 - Trust to VPN IP Pool - any any - No PBF

PBF3 - Trust to Any - Forward Application [Web-Browsing + SSL] to I/F Eth1/1.400, next hop Router Gateway with Monitor

 

Now everything works as expected!

Thank you for your precious time 🙂

View solution in original post

6 REPLIES 6

L5 Sessionator

Hey @Joukevanduijsen

 

Can you share a screenshot of your PBF policy when it was at the undesired state?

 

Thanks,

Luke.

Sure! Here it is! reroute.JPG

 

As you can see, i've already tried to Negate the VPN pool, but the GP is also directly hooked to trust-zone.

The last IP you see is monitoring, if this IP is not reachable the PBF rule is deactivated.

Your PBF rule should only really be applied to destination zone Untrust, that way it will only activate for internet facing traffic where NAT via the two ISPs is actually required. Then, when you try to visit some internal server in destination zone Trust or DMZ the PBF policy won't even be applied.

 

What I have done in the past:

 

Source Zone: Trust

Source IP: Any

Destination IP: All RFC 1918 addresses (negate option checked)

Destination Zone: Untrust

Ahh! Thank you! I'm going to try that now

That didn't work... but the session browser told me a critical thing.

The data was not correctly sent back..

 

So after thinking with two people, we decided to create this:
PBF1 - VPN zone to Trust - any any - No PBF

PBF2 - Trust to VPN IP Pool - any any - No PBF

PBF3 - Trust to Any - Forward Application [Web-Browsing + SSL] to I/F Eth1/1.400, next hop Router Gateway with Monitor

 

Now everything works as expected!

Thank you for your precious time 🙂

Thank you, Joukevanduijsen! 

I was having this issue as well but due to different circumstances. I have a Appliansys Caching Server. All 80 & 443 traffic is routed to that device via a PBF rule. Everything works great except when I'm connected via GlobalProtect VPN. When I'm connected via GP, I can access any device in my network that uses a port other than 80 & 443. When I disable the PBF rule, everything works fine. I've been working with support on this for two weeks without any progress. Your post solved this for me. I just wanted to reply to thank you and confirm this does work!

 

Cheers

  • 1 accepted solution
  • 3322 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!