PBF and cisco vpn client

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PBF and cisco vpn client

L2 Linker

Hi everyone


i have two ISPsinterfaces connected to my palo alto


i need to make a pbf  forcisco vpn client app traffic to cross through the second isp


in the pbf section in policies , i set the application to cisco vpn and ipsec-udb and IKE  and set the destination and next hop
but traffic still go through the first isp

what am i missing?

and is it possible to make PBF  based on source address?


Cyber Elite
Cyber Elite


So right off the bat I would say that you are missing a few applications in the PBF that you've detailed (DTLS SSL, ect.). However are you trying to set the 'client' traffic as in when users are already connected to the VPN; because if you are those applications would be whatever the user would be navigating to, exactly as if they were an internal user. 

You could build a PBF that simply has the host as your IP pool used for AnyConnect clients, set the destination, applications, and service to any; and then set the forwarding appropriately. 

I did add dtls / slso the app is using ipsec over udp

I created another policy with no app/ just the destination addrrss which my internal clients connect to using cisco vpn

And also didnt work

I feel my current os is very buggy


So just a couple things to keep in mind. 

- If you are looking for the client traffic to traverse the PBF and go out the second ISP you don't need a PBF policy that specifies what the clients would use to connect to the ASA. The communication from client to the ASA would be handled by routing, not PBF. 

- Make sure that your PBF policy is actually built out correctly and verify that the traffic should match the PBF policy as you have it configured. You can do this via the cli with the 'test pbf-policy-match' command and building out the traffic flow that you would expect to match your policy. 

- If you specify applications in a PBF it takes a few packets for the firewall to determine the application and actually start using the PBF; so you wouldn't expect all traffic to traverse this firewall as specified in the PBF until the firewall knows what application is being used. 

- It sounds like you could really do this with routing a fair bit easier then using a PBF. Obviously there could be issues that you haven't detailed here that prevents that, but from what you've stated it sounds like routing changes would be the easier answer. 

Thank u 


its working now

i did it with routing on virtual router 
the was a number 3 instead of 1  in the dest. ip 

thank you

can i ask you about preventing downloads using PaloAlto or i will need another post


Generally I would say that new issues/questions should be posted in a new thread. This simply allows others to find them easier in the search function and keeps the thread relevant to the topic at hand. 

When you post the new thread however one of my initial questions would what context you are looking to block downloads (ie: Limiting the speed at which they download, specific sites, or simply all downloads) and whether or not you have SSL decryption setup. That would all be relevant information in coming up with the best solution for what you are looking to do, but the answer is yes it's something the firewall can do. 

Thank you
i will make a new post

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!