- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-04-2021 06:15 PM
We've got a firewall that doesn't have a management interface connection. The default route for the firewall is configured across a tunnel interface. The service route has been been configured to use the outside interface- there's no option to use the tunnel interface.
I'm trying to get Policy-based forwarding working so traffic sourced from the firewall's outside interface has a 0.0.0.0/0 route to the next-hop router. But it's not working- can't get dynamic updates. Can't download software.
Any ideas?
Thanks
01-04-2021 10:02 PM
Hi @FrankMurray ,
PBF will not work for the traffic which is originating from PA firewall interfaces. It will get used only for the systems which are behind firewall. So when traffic is originating from the firewall, it will use routing table to check routes for the desired destination.
Hope it helps!
01-05-2021 06:55 AM
Hi @FrankMurray ,
This is one of the reason I really hate setup that requires default route pointing to VPN tunnel. I would suggest you do to the following, which unfortunately will require a massive change:
1. Create two separate virtual-rotuers (vr).
2. Assing your outside/public fw interface to vr1 and configure the default route via the public interface
3. Assing your lan/internal fw interface to vr2.
4. Configure your IPsec tunnel to use your public/outside interface for local peer IP, but assing the tunnel interface to vr2
5. Configure the default route for vr2 to the tunnel interface.
This will allow you to have default route for the internal resource pointing to the tunnel, while the fw still have default route pointing to the next-hop via the outside interface. After that is should be enough to set the service route to use the public interface which will take the default route from vr1 of to public internet and not vpn.
01-29-2023 07:58 PM
So that's why my lab environment to test 2 ISP connection never worked 😅
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!