i have two ISPsinterfaces connected to my palo alto
i need to make a pbf forcisco vpn client app traffic to cross through the second isp
in the pbf section in policies , i set the application to cisco vpn and ipsec-udb and IKE and set the destination and next hop
but traffic still go through the first isp
what am i missing?
and is it possible to make PBF based on source address?
So right off the bat I would say that you are missing a few applications in the PBF that you've detailed (DTLS SSL, ect.). However are you trying to set the 'client' traffic as in when users are already connected to the VPN; because if you are those applications would be whatever the user would be navigating to, exactly as if they were an internal user.
You could build a PBF that simply has the host as your IP pool used for AnyConnect clients, set the destination, applications, and service to any; and then set the forwarding appropriately.
So just a couple things to keep in mind.
- If you are looking for the client traffic to traverse the PBF and go out the second ISP you don't need a PBF policy that specifies what the clients would use to connect to the ASA. The communication from client to the ASA would be handled by routing, not PBF.
- Make sure that your PBF policy is actually built out correctly and verify that the traffic should match the PBF policy as you have it configured. You can do this via the cli with the 'test pbf-policy-match' command and building out the traffic flow that you would expect to match your policy.
- If you specify applications in a PBF it takes a few packets for the firewall to determine the application and actually start using the PBF; so you wouldn't expect all traffic to traverse this firewall as specified in the PBF until the firewall knows what application is being used.
- It sounds like you could really do this with routing a fair bit easier then using a PBF. Obviously there could be issues that you haven't detailed here that prevents that, but from what you've stated it sounds like routing changes would be the easier answer.
its working now
i did it with routing on virtual router
the was a number 3 instead of 1 in the dest. ip
can i ask you about preventing downloads using PaloAlto or i will need another post
Generally I would say that new issues/questions should be posted in a new thread. This simply allows others to find them easier in the search function and keeps the thread relevant to the topic at hand.
When you post the new thread however one of my initial questions would what context you are looking to block downloads (ie: Limiting the speed at which they download, specific sites, or simply all downloads) and whether or not you have SSL decryption setup. That would all be relevant information in coming up with the best solution for what you are looking to do, but the answer is yes it's something the firewall can do.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!