PBF Dual ISP, inbound NAT broke with spoofing protection enabled

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PBF Dual ISP, inbound NAT broke with spoofing protection enabled

L4 Transporter

Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured. 


When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but that made no difference.   In the end I had to disable 'Spoofed IP address' from the outside zone protection profile to get it working again.


Does anyone know why you can't have PBF, inbound NAT's and spoof protection enabled?  


L3 Networker


Have you tried enforce symetric return option from pbf policy Forwarding section.

*Another idea, assign nat ip to a loopback interface than use it for nat. 


Do you mean enforce it on the PBF for the dual internet links?  PAN documentation is so bad and confusing I am not even sure who they got managing it, a trained monkey? 

Cyber Elite
Cyber Elite

Hi @drewdown ,


Could you tell me why you are using PBF?  Most dual ISP designs can be handled by routing.





Help the community: Like helpful comments and mark solutions.

Pray tell how its handled by routing without running BGP between our multitude of carriers?  And what is PBF if not routing? 


Besides here is one of many PA articles outlining how to configure DUAL ISPs with failover using PBF: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/use-case-pb...


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!