04-30-2025 09:57 AM
Hi all,
while using ECMP for the last 2 years without any issues using 3 ISP's with different weight and enabling Symmetric Return and Strict Source Path, I found that some sites with authentication access and Proofpoint secure emails access are being timed out
because of their sensitivity of the source ISP change during the session.
In most of the cases creating BPF rule using address group for all those site's FQDN resolve the issue, but I'm looking for a way to using BPF based on URL category like Banks\financial sites.
Anyone face the same issue and solved it with a different approach?
Thank you for the help.
04-30-2025 10:51 AM
Hi @SShnap ,
I had similar issues with 1 customer. Changing the ECMP Load Balance Method from IP Modulo (default) to IP Hash caused all sessions with the same source/destination to always go out the same interface. This eliminated the need for PBF, and the applications worked properly. You could also check the box so that all traffic from a source IP address always goes out the same interface.
It appeared that the problem was that the web application wanted all traffic from the same source to have the same IP. This change fixed the issue.
Thanks,
Tom
04-30-2025 12:00 PM
@TomYoung Thank you for the comment, so if I'm going to IP Hash route, I need to remove the PBF and there is no weight consideration?
Currently I'm using 2 ISP with same weight and 3rd ISP for backup with lower weight.
I will check this option later and see the results.
Thank you
04-30-2025 12:07 PM
Hi @SShnap ,
No, there is no weight consideration with IP Hash. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ecmp/ecmp-load-balancing-algor...
IP Hash balances over all links the same. If you want the 3rd ISP for backup, you can give it a higher metric.
I'm sure you already know this, but it is safer to disable PBF for now rather than remove. Rollback becomes much faster.
Thanks,
Tom
05-06-2025 08:59 AM
@TomYoung Thank you for the response, I still want to use the PBF because some of the services are being allowed based on the ISP interface outbound.
Do you know what is prioritize first if we are using IP Hash and PBF?
I meant disable before removing them completely, thank you for the clarification.
05-06-2025 09:22 AM
Hi @SShnap ,
PBF takes priority over routing. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/policy-based-forwarding
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
