I have two ISPs configured with path monitoring and I can successfully monitor the primary route and fail over to the secondary, however what I would like to do now is use PBF to always send some of my traffic out the secondary ISP. Everything I've read says this is possible and should be fairly straight-forward but I just can't seem to get it to work. I have a test PBF policy set up for all traffic from a single client and the policy appears to be working, hit counts increase and my traffic detail shows that the correct interface and NAT policy is being applied however I don't get any packets back. I've torn down and rebuilt the rules a couple times now so it's possible I've become blind to a simple missed setting.
Again if I simply fail the primary route, the secondary route takes over and all traffic flows out so the interface is working as is the outbound NAT and security policies; my problem just seems to be using both interfaces at the same time.
One thing to look at is if you have zone protection enabled and you have the spoofed ip address checked in TCP/IP Drop options under Attack Protection. This in conjunction with PBF will cause the firewall to drop the return traffic as it doesn't align with the route table.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!