Error when creating PBF Policy - IP does not match subnet

Reply
L1 Bithead

Error when creating PBF Policy - IP does not match subnet

I want to create a PBF Policy in order to route traffic from one zone/interface destined for the Internet to a transparent intercepting squid proxy in another zone/behind another interface. Using a destination nat policy seems to work, but some other problem occurs and I was advised to try a PBF.

 

The PBF is defined as follows:

Source:

Type: Interface (same with Zone)

Interface = ethernet1/3.300

Source Address: 192.168.2.66/32 (Just want to happen this for a single IP)

Source User: any

 

Destination/Application Service:

Destination Address: any (normally destined for targets in the Internet)

Applications: Any

Service: service-http (tcp/80), service-https (tcp/443)

 

Forwarding:

Action: Forward

Egress Interface: etherner1/3.200

Next hop: 192.168.0.3/32

 

On commit I get the error "Error: pbf rule 'Test PBF': IP 192.168.0.3 does not match subnets defined on pbf interface ethernet1/3.200. Error: Failed to parse pbf policy" that I don't understand because the network 192.168.0.0/24 is the one assigned to that interface. 

 

What's wrong?

 


Accepted Solutions
L6 Presenter

@daubsi,

 

Can you please check subnet mask configured on the interface etherner1/3.200? Is it 24 or 32 ?

Make sure it is /24 as per your design.

Mayur S.

View solution in original post


All Replies
Cyber Elite

Under PBF Rule for source choose source as zone instead of interface.

Also for next hop type  this address for example if next hop  interface is ae1.100  and it has IP of 1.1.1.2

and this interface if connects to switch or router and that has IP 1.1.1.1  

 

PA - eth  ae1.100 ---IP 1.1.1.2  ------------                  ---IP 1.1.1.1 Vlan 100 on switch

 

Then Next Hop i will be 1.1.1.1 which is on other side of the PA

 

Regards

 

MP
L6 Presenter

@daubsi,

 

Can you please check subnet mask configured on the interface etherner1/3.200? Is it 24 or 32 ?

Make sure it is /24 as per your design.

Mayur S.

View solution in original post

L1 Bithead

Indeed! It seems this here was the problem! I only had 192.168.0.254 set as the IP address, not 192.168.0.254/24.

Is it then explicitly assumed to be /32? But why did everything else work? Just because I had the VirtualRouter configured correctly?

 

2020-11-25_7-52-38.png

L6 Presenter

@daubsi,

 

Glad to know that your issue is resolved!

 

Yes, if IP address is configured w/o a subnet mask, it will consider it as /32 and firewall will add route for /32 host in its route table. If the same interface is configured with subnet mask let's say /24, firewall will add route for that host and also route for the whole network of 24.

 

Now in your case, there are chances of having static route for network 192.168.0.0/24 under your VR and that's why everything is working.

 

Regards,

Mayur Sutare

 

 

Mayur S.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!