Does PBF work across different virtual routers?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does PBF work across different virtual routers?

L2 Linker

Does PBF work across different virtual routers?

 

i.e Will a PBF rule work if the incoming packet is received on an interface associated with one virtual router, and the rule tells it to go out an interface associated with a different virtual router?

 

I'm assuming it should.. just wanted to clarify..

1 accepted solution

Accepted Solutions

L3 Networker

Hi CMG, 

 

Yes this works fine assuming the following; 

 

both interfaces part or same zone

asymmetric routing not in play

sec policies allowing same 

 

Run the following commands when testing;  {apply filters for the source & dst you are testing with.. so counters relevant }

show counter global filter packet-filter yes delta yes

 

use the following articles if getting droppped due to asymmetric R

https://live.paloaltonetworks.com/t5/Configuration-Articles/SYN-ACK-Issues-with-Asymmetric-Routing/t...

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Issues-with-Asymmetric-Routing/ta-p/6545...

 

 

run the following cmds to test the pbf rule matches whats expected aswell, replacing IPs as required. Ping protocol number is 1 and what I used for a quick test.. 


admin@PA-3000> test pbf-policy-match application any from untrust destination 172.25.5.239 protocol 1 source 172.25.4.6

test {
id 1;
from untrust;
source any;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/2;
next-hop 0.0.0.0;
terminal no;
}

 

best regards

 

Robert D 

 

 

View solution in original post

1 REPLY 1

L3 Networker

Hi CMG, 

 

Yes this works fine assuming the following; 

 

both interfaces part or same zone

asymmetric routing not in play

sec policies allowing same 

 

Run the following commands when testing;  {apply filters for the source & dst you are testing with.. so counters relevant }

show counter global filter packet-filter yes delta yes

 

use the following articles if getting droppped due to asymmetric R

https://live.paloaltonetworks.com/t5/Configuration-Articles/SYN-ACK-Issues-with-Asymmetric-Routing/t...

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Issues-with-Asymmetric-Routing/ta-p/6545...

 

 

run the following cmds to test the pbf rule matches whats expected aswell, replacing IPs as required. Ping protocol number is 1 and what I used for a quick test.. 


admin@PA-3000> test pbf-policy-match application any from untrust destination 172.25.5.239 protocol 1 source 172.25.4.6

test {
id 1;
from untrust;
source any;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/2;
next-hop 0.0.0.0;
terminal no;
}

 

best regards

 

Robert D 

 

 

  • 1 accepted solution
  • 3027 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!