This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Does PBF work across different virtual routers?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does PBF work across different virtual routers?

Go to solution
CMG
L2 Linker

‎11-15-2016 01:05 PM

Does PBF work across different virtual routers?

 

i.e Will a PBF rule work if the incoming packet is received on an interface associated with one virtual router, and the rule tells it to go out an interface associated with a different virtual router?

 

I'm assuming it should.. just wanted to clarify..

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
DonohoeRobert
L3 Networker

‎11-17-2016 03:18 AM - edited ‎11-17-2016 03:21 AM

Hi CMG, 

 

Yes this works fine assuming the following; 

 

both interfaces part or same zone

asymmetric routing not in play

sec policies allowing same 

 

Run the following commands when testing;  {apply filters for the source & dst you are testing with.. so counters relevant }

show counter global filter packet-filter yes delta yes

 

use the following articles if getting droppped due to asymmetric R

https://live.paloaltonetworks.com/t5/Configuration-Articles/SYN-ACK-Issues-with-Asymmetric-Routing/t...

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Issues-with-Asymmetric-Routing/ta-p/6545...

 

 

run the following cmds to test the pbf rule matches whats expected aswell, replacing IPs as required. Ping protocol number is 1 and what I used for a quick test.. 


admin@PA-3000> test pbf-policy-match application any from untrust destination 172.25.5.239 protocol 1 source 172.25.4.6

test {
id 1;
from untrust;
source any;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/2;
next-hop 0.0.0.0;
terminal no;
}

 

best regards

 

Robert D 

 

 

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
DonohoeRobert
L3 Networker

‎11-17-2016 03:18 AM - edited ‎11-17-2016 03:21 AM

Hi CMG, 

 

Yes this works fine assuming the following; 

 

both interfaces part or same zone

asymmetric routing not in play

sec policies allowing same 

 

Run the following commands when testing;  {apply filters for the source & dst you are testing with.. so counters relevant }

show counter global filter packet-filter yes delta yes

 

use the following articles if getting droppped due to asymmetric R

https://live.paloaltonetworks.com/t5/Configuration-Articles/SYN-ACK-Issues-with-Asymmetric-Routing/t...

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Issues-with-Asymmetric-Routing/ta-p/6545...

 

 

run the following cmds to test the pbf rule matches whats expected aswell, replacing IPs as required. Ping protocol number is 1 and what I used for a quick test.. 


admin@PA-3000> test pbf-policy-match application any from untrust destination 172.25.5.239 protocol 1 source 172.25.4.6

test {
id 1;
from untrust;
source any;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/2;
next-hop 0.0.0.0;
terminal no;
}

 

best regards

 

Robert D 

 

 

0 Likes Likes
  • 1 accepted solution
  • 3028 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks