Policy Based Forwarding vs Security Rules

Reply
Highlighted
L1 Bithead

Policy Based Forwarding vs Security Rules

Hello,

 

I am not quite sure about the difference between rules created under 'Policy based forwarding' and 'Security' under Policies tab.

 

Could someone please help understand how are the rules different that are created under security and Policy based forwarding?

 

 

Thanks,

PS


Accepted Solutions
Highlighted
L7 Applicator

Re: Policy Based Forwarding vs Security Rules

In the first example, "forward guest wireless traffic" is a single PBF rule, where the 2nd rule (send everything else via MPLS) happens in the virtual router / default route.  I'll tweak the example to be a little more clear:

 

  PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"

  Routing:  "Send all traffic through the default route (MPLS circuit)"

 

My mistake for saying "all corporate traffic" - I meant "all traffic" that didn't match the PBF rule.  Hope that clears it up.  

 

View solution in original post

L7 Applicator

Re: Policy Based Forwarding vs Security Rules

@psharma,

You would use routing because it would state something along the lines of all traffic should go out the MPLS circut; then with PBF you specify with guest wireless traffic goes out the ISP gear. 

 

Further example would be if I had a route that stated 10.191.0.0/16 needs to go to a specific circuit. 

Say that I have my GIS users on 10.191.80.0/25 and for a undetermined amount of time I need to route them through a different circuit do to a potential litigation hold (sigh); I would find that easier to do with a PBF which is easy to create and remove on the fly rather than messing around with my routing table and breaking subnets out of my 10.191.0.0/16 range. 

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Policy Based Forwarding vs Security Rules

PBF rules are checked before routing table and if any match then routing table is skipped.

So Security policies are to permit or deny traffic and PBF rules are used to decide where traffic should go to.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Tags (1)
Highlighted
L1 Bithead

Re: Policy Based Forwarding vs Security Rules

ok, now i understand the difference between PBF and security rues but what is the need for PBF?

Is the Forwarding table alone not sufficient enough?

 

Basically, why do we need PBF if we already have routing tables?

 

 

Thanks,

PS

Highlighted
L7 Applicator

Re: Policy Based Forwarding vs Security Rules

Routing is based on "destination".  To get to y.y.y.y send to next-hop z.z.z.z 

 

Policy-based Forwarding adds Source IP address to the routing decision.  This allows you to make routing decisions based on where the traffic is coming from - not just based on the destination.  

 

One example:

  PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"

  Routing:  "Send all corporate traffic through the expensive MPLS circuit"

 

Another example:

  PBF Rule 1: "Forward half of my users via ISP1"

  PBF Rule 2: "Forward the other half of my users via ISP2"

  PBF Rule 3: "Forward all users via ISP1" (in case ISP2 is down)

  PBF Rule 4: "Forward all users via ISP2" (in case ISP1 is down)

Highlighted
L7 Applicator

Re: Policy Based Forwarding vs Security Rules

@psharma,

There are quite a few use cases for PBF that would dictate that certain traffic is sent to a certain destination. PBF lets you specify an application, which wouldn't be possible if you are using just the routing table. 

Highlighted
L1 Bithead

Re: Policy Based Forwarding vs Security Rules

from this example: 

 

One example:

  PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"

  Routing:  "Send all corporate traffic through the expensive MPLS circuit"

 

I do not feel any real difference between PBF and routing from the example above.

But, i do understand that PBF is used when you are deciding where to route based on the source and not on the destination as we typically do in routing.

However, in your example, it looks like you are deciding based on source for both. then how come the corporate one will be taken as routing and not PBF?

 

PS

Highlighted
L7 Applicator

Re: Policy Based Forwarding vs Security Rules

In the first example, "forward guest wireless traffic" is a single PBF rule, where the 2nd rule (send everything else via MPLS) happens in the virtual router / default route.  I'll tweak the example to be a little more clear:

 

  PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"

  Routing:  "Send all traffic through the default route (MPLS circuit)"

 

My mistake for saying "all corporate traffic" - I meant "all traffic" that didn't match the PBF rule.  Hope that clears it up.  

 

View solution in original post

Highlighted
L7 Applicator

Re: Policy Based Forwarding vs Security Rules


@BPry wrote:

PBF lets you specify an application, which wouldn't be possible if you are using just the routing table. 


 

Using Application for match criteria in a Policy-Based Forwarding policy is not recommended.  Palo Alto Networks recommends using a service object instead, if possible.  Not to say that Application-based PBF doesn't work, but there are a handful of caveats to be aware of:

 - https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_13619

 

That being said, the example is helpful as it's a great difference between PBF and Routing.  

L7 Applicator

Re: Policy Based Forwarding vs Security Rules

@psharma,

You would use routing because it would state something along the lines of all traffic should go out the MPLS circut; then with PBF you specify with guest wireless traffic goes out the ISP gear. 

 

Further example would be if I had a route that stated 10.191.0.0/16 needs to go to a specific circuit. 

Say that I have my GIS users on 10.191.80.0/25 and for a undetermined amount of time I need to route them through a different circuit do to a potential litigation hold (sigh); I would find that easier to do with a PBF which is easy to create and remove on the fly rather than messing around with my routing table and breaking subnets out of my 10.191.0.0/16 range. 

View solution in original post

Highlighted
L7 Applicator

Re: Policy Based Forwarding vs Security Rules

@jvalentine,

That's why I put it in; missing the first hand-full of packets until you actually get identified can be a pain, but thankfully we now have that awesome application cache so it's less of an issue ;) 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!