05-11-2020 04:10 PM
Hello Folks,
I'm trying to set up my Palo Alto to do Policy Based Forwarding.
Does PA do NAT before Policy Based Forwarding???
I've created Policy based forwarding to send traffic to an interface, if it is sourced from an address. 10.0.0.0/24
BUT it's seems to be failing ... sometimes. I've noticed that it fails when the source traffic is NATTED first.
So there is a NAT that changes the source address from 10.0.0.0/24 to 20.0.0.0/24
The PA doesn't do the Policy Based Forwarding, because it doesn't see the traffic come from 10.0.0.0/24 as it is natted.
Does that mean that the NAT is done before the Policy Based Forwarding? I guess it is?
If I only want traffic to be policy forwarded if sourced from 10.1.0.0/16. So would my work around be to create a NAT policy, and if it matches 10.1.0.0/16 then do not NAT? That way it will then keep the source address and be policy forwarded instead?
Any thoughts would be appreciated?
05-21-2020 06:07 AM
Hello Folks,
We found out why the PBF was not working.... I think it is a bug, we had to take out the next hop IP address from the PBF statement. We left the interface for the next hop only. This allowed the PBF to work. I don't know why using an IP address for the next hop doesn't work. I suspect it is because we have a pair of active-active firewalls.
We also we tried all the different binding options in the PBF statement on both firewalls.
05-12-2020 12:12 AM
NAT is performed after PBF, as it can only be applied after the egress interface is determined (so after pbf and route lookus)
how did you configure your PBF rule? did you add an application as a match condition? (as that will have an impact on how pbf is able to intercept and redirect sessions : it doesn't know what an application is by the SYN packet so it first needs to determine that)
05-12-2020 12:41 AM
Thanks for replying Reaper L7 Applicator ... nice name.
The application is any.
The service is any,
I'm wondering if I should set them to application-default.
I've noticed that where it's not working, (not getting Policy based forwarding), it is getting NATTED first.
05-12-2020 12:53 AM
Thanks Jedi_DL L2 Linker 😉
(The L7 thing is my community rank, not my name 🙂 )
That would mean pbf is not hit and then nat is applied on the default route egress,
unless the session goes through the firewall twice and is picking up NAT in a different session?
Did you set a next hop IP so the session can get routed out or is the destination located on the interface subnet?
05-12-2020 01:00 AM
hi
For the next hop on the policy based forwarding (PBF) , I gave both the interface it should leave, and the next hop IP address on that subnet.
I still cant understand why for some traffic it is not hitting the PBF
I can see that for one host in the PBF source range, it is getting corrected policy based forwarded.
Both for another host also in the PBR range, it is being natted first, and therefore not policy based forwarded.
05-21-2020 06:07 AM
Hello Folks,
We found out why the PBF was not working.... I think it is a bug, we had to take out the next hop IP address from the PBF statement. We left the interface for the next hop only. This allowed the PBF to work. I don't know why using an IP address for the next hop doesn't work. I suspect it is because we have a pair of active-active firewalls.
We also we tried all the different binding options in the PBF statement on both firewalls.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
