- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-02-2013 02:58 AM
Hi folks,
I am trying to set up a PA200, running 5.0.6, to use two ISPs and set one set of users to use one ISP and the other users to use the second ISP for their outbound traffic. My problem is that as these are ADSL circuits, each time the connection is made to the ISP, the next hop ip address may change and therefore the PBF rules that are there will fail.
I've create test lab environment to simulate the customer's setup.
I've created three zones (trusted1, trusted2 and untrusted) and a security policy that allows source trusted1 and trusted2 to go to destination untrusted. I also created two static routes (0.0.0.0/0) for both ISPs with the primary route to ISP1. This setup allows all traffic to flow through ISP1 unless ISP1 is down and then everything fails to ISP2. I then created two PBF rules. Rule1 allows trusted1 to the interface connected to ISP1 and Rule2 allows trusted2 to the interface connected to ISP2. In both PBF rules, I have not set a next hop ip address. With these PBF rules in place, the monitor tab shows that traffic from trusted1 and trusted2 are being passed to the untrusted zone, but no traffic is hitting the test routers. If I disable one of the PBF rules (either one), all of the traffic beings to flow through the interface of the disable PBF rule.
Is there any way to set up a PBF rule(s) without setting a next hop address?
10-02-2013 06:50 AM
Hi,
We could have used a FQDN but that is not yet supported as a Feature Request is submitted for that feature to be included. FR ID: 1590. You can ask your systems engineer to send in a vote for that feature.
Thanks,
Syed R Hasnain
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!