Can Policy-based forwarding be used for routing the firewall connection for updates?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Can Policy-based forwarding be used for routing the firewall connection for updates?

L1 Bithead

We've got a firewall that doesn't have a management interface connection.  The default route for the firewall is configured across a tunnel interface. The service route has been been configured to use the outside interface- there's no option to use the tunnel interface.

I'm trying to get Policy-based forwarding working so traffic sourced from the firewall's outside interface has a route to the next-hop router.  But it's not working-  can't get dynamic updates. Can't download software.


Any ideas?




Cyber Elite
Cyber Elite

Hi @FrankMurray ,


PBF will not work for the traffic which is originating from PA firewall interfaces. It will get used only for the systems which are behind firewall. So when traffic is originating from the firewall, it will use routing table to check routes for the desired destination.


Hope it helps!


Hi @FrankMurray ,


This is one of the reason I really hate setup that requires default route pointing to VPN tunnel. I would suggest you do to the following, which unfortunately will require a massive change:


1. Create two separate virtual-rotuers (vr).

2. Assing your outside/public fw interface to vr1 and configure the default route via the public interface

3. Assing your lan/internal fw interface to vr2.

4. Configure your IPsec tunnel to use your public/outside interface for local peer IP, but assing the tunnel interface to vr2

5. Configure the default route for vr2 to the tunnel interface.


This will allow you to have default route for the internal resource pointing to the tunnel, while the fw still have default route pointing to the next-hop via the outside interface. After that is should be enough to set the service route to use the public interface which will take the default route from vr1 of to public internet and not vpn.

So that's why my lab environment to test 2 ISP connection never worked 😅

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!