Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-09-2013 01:41 PM
Hi,
We wanted to forward the traffic coming on public interface (1.1.1.1) with port 80 to an another ip address on another interface (DMZ - 2.2.2.2)
just to forward, not want to NAT,
we've written a Pbf untrust to 1.1.1.1 with destination port 80 forward eth/DMZ 2.2.2.2
That did not work.Also traffic doesn't match to that pbf.What is missing ?
12-10-2013 10:27 AM
Your understanding is correct; pbf should come before NAT and it should supersede traditional routing as well.
If your traffic is coming in on zone/interface WAN3 and destined to the destination IP you have configured, and the firewall is not forwarding the packets to eth1/11, then I'll suggest you open a ticket to have this looked into.
You can verify the ingress and egress interfaces/zones of the packet by running 'show session id #' in CLI as well. It is possible that the ingress of the packet is not matching your configured PBF policy.
Regards,
tasonibare
12-09-2013 05:25 PM
Could you post the output of 'show running pbf-policy' or a screen shot of your configuration, to verify that the config is correct.
Thanks,
tasonibare
12-09-2013 10:50 PM
test {
id 5;
from WAN3;
source any;
destination 8X.10X.10.7X;
user any;
application/service any/tcp/any/23;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/11;
next-hop 10.10.0.48;
terminal no;
}
12-10-2013 04:22 AM
Hello,
Based on your policy it looks like you are accessing a private ip (dmz) using oublic ip address.
correct me if I am wrong.
In that situation you need nat.
Regards,
Hari Yadavalli
12-10-2013 04:31 AM
you can forward a public ip to a private ip.I just wanted to tell pbf is not working.when I hit used rules it comes with colour.session is not matching to pbf.
flow logic, pbf is first.Nat is later.We also have a destination Nat rule.
12-10-2013 10:27 AM
Your understanding is correct; pbf should come before NAT and it should supersede traditional routing as well.
If your traffic is coming in on zone/interface WAN3 and destined to the destination IP you have configured, and the firewall is not forwarding the packets to eth1/11, then I'll suggest you open a ticket to have this looked into.
You can verify the ingress and egress interfaces/zones of the packet by running 'show session id #' in CLI as well. It is possible that the ingress of the packet is not matching your configured PBF policy.
Regards,
tasonibare
12-11-2013 12:09 AM
You can also test your pbf rule by using the test command on the CLI:
admin@PA> test pbf-policy-match
+ application Application name
+ destination destination IP address
+ destination-port Destination port
+ from From zone
+ from-interface From interface
+ ha-device-id HA Active-Active device ID
+ protocol IP protocol value
+ source source IP address
+ source-user Source User
| Pipe through a command
<Enter> Finish input
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
