- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-24-2020 02:45 PM
I want to create a PBF Policy in order to route traffic from one zone/interface destined for the Internet to a transparent intercepting squid proxy in another zone/behind another interface. Using a destination nat policy seems to work, but some other problem occurs and I was advised to try a PBF.
The PBF is defined as follows:
Source:
Type: Interface (same with Zone)
Interface = ethernet1/3.300
Source Address: 192.168.2.66/32 (Just want to happen this for a single IP)
Source User: any
Destination/Application Service:
Destination Address: any (normally destined for targets in the Internet)
Applications: Any
Service: service-http (tcp/80), service-https (tcp/443)
Forwarding:
Action: Forward
Egress Interface: etherner1/3.200
Next hop: 192.168.0.3/32
On commit I get the error "Error: pbf rule 'Test PBF': IP 192.168.0.3 does not match subnets defined on pbf interface ethernet1/3.200. Error: Failed to parse pbf policy" that I don't understand because the network 192.168.0.0/24 is the one assigned to that interface.
What's wrong?
11-24-2020 08:14 PM
Can you please check subnet mask configured on the interface etherner1/3.200? Is it 24 or 32 ?
Make sure it is /24 as per your design.
11-24-2020 08:08 PM
Under PBF Rule for source choose source as zone instead of interface.
Also for next hop type this address for example if next hop interface is ae1.100 and it has IP of 1.1.1.2
and this interface if connects to switch or router and that has IP 1.1.1.1
PA - eth ae1.100 ---IP 1.1.1.2 ------------ ---IP 1.1.1.1 Vlan 100 on switch
Then Next Hop i will be 1.1.1.1 which is on other side of the PA
Regards
11-24-2020 08:14 PM
Can you please check subnet mask configured on the interface etherner1/3.200? Is it 24 or 32 ?
Make sure it is /24 as per your design.
11-24-2020 10:56 PM
Indeed! It seems this here was the problem! I only had 192.168.0.254 set as the IP address, not 192.168.0.254/24.
Is it then explicitly assumed to be /32? But why did everything else work? Just because I had the VirtualRouter configured correctly?
11-24-2020 11:36 PM
Glad to know that your issue is resolved!
Yes, if IP address is configured w/o a subnet mask, it will consider it as /32 and firewall will add route for /32 host in its route table. If the same interface is configured with subnet mask let's say /24, firewall will add route for that host and also route for the whole network of 24.
Now in your case, there are chances of having static route for network 192.168.0.0/24 under your VR and that's why everything is working.
Regards,
Mayur Sutare
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!