Useless PBF warning

Reply
L4 Transporter

Useless PBF warning

Hi All,

 

That's not an issue.. I just want to share with you this thoughtPBF_warning.JPGWarning_Rule.JPG

 

Starting from the fact that the egress interface is NOT a matching criteria.. But I have to configure around 80 VPN tunnel (with their own backup tunnel using pbf option "disable if unreachable") .. so it means I will have 80 warnings.. :,(

 

It should be useful to put egress interface in PBF policies as a matching criteria?

What is it your opinion?

 

Regards

D!Z

Tags (2)
L4 Transporter

Re: Useless PBF warning

Hi TheRealDiz,

 

It's not possible to put the egress interface as a condition, as the PBF is itself responsible for determining the egress interface (the result cannot be a condition).

 

In Palo Alto, either the PBF or the Routing table determines the egress interface.

 

In your screenshot I can guess rule 7 is shadowing 8, 3 is shadowing 4. Reason is that the conditions are identical for 3/4 and 7/8. Moreover, rule 8 and rule 4 might not actually trigger if you don't choose the monitor profile correctly or check the box for 'Disable this rule if the next hop/monitor IP is unavailable'.

 

Nothing can be done about the warnings. By the way, how many paths can a single tunnel take? If it's just 2, usually you'd put the main path in the PBF and a backup path in the VR. Do you have 3 paths, 2 via PBF and 1 via VR? If it's 2, configure the backup path in the VR (static route = next hop is backup tunnel interface (no IP req'd)). And, in your PBF choose a monitor profile with the Action - Fail over and uncheck the box for 'Disable this rule if the next hop/monitor IP is unavailable'.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
L0 Member

Re: Useless PBF warning

I've had the same issue, and I resolved it by adding a "dummy" zone to the shadowed PBF rule, as shown below:

clipboard_image_0.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!