Use Cases and Overview of Policy Based Forwarding

Title_Policy-Based-Forwarding_palo-alto-networks.jpg.jpg

Introduction

Enterprises today are increasingly adopting hybrid network architectures. Many also implement various enforcement points across their hybrid environments to meet compliance or regulatory requirements. This can become even more complex in multivendor environments.

Additionally, some enterprises leverage multiple ISPs, enabling application access through multiple paths. The key challenge in such scenarios is ensuring proper traffic forwarding across these diverse paths while maintaining traffic flow symmetry.

This document outlines best practices and provides sample configurations to successfully implement policy-based forwarding in such environments.

For the sake of this document, let us consider the topology and requirements below:

Any traffic to port 80 and 443 should be sent via the tunnel interface
All other traffic should be forwarded via the untrust interface of the firewall

Fig 01_Policy-Based-Forwarding_palo-alto-networks.jpg.png

Solution

Configure a policy based forwarding (PBF) to create policies to forward the traffic .

Fig 03_Policy-Based-Forwarding_palo-alto-networks.jpg.png

Configuration elements are:

Default route to send traffic via the untrust interface for everything inbound.
PBF Rule to send traffic to port 80 and 443 from the webserver via the tunnel interface.
To ensure return traffic of the Inbound access to web server returns to the untrust interface we configure a no-pbf configuration with 'enforce symmetric return'

Summary:

This way, you can use PBF to override the next hop from the routing table and choose a different path based on different parameters like source, destination, protocol and application type etc.