PBF Dual ISP, inbound NAT broke with spoofing protection enabled

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PBF Dual ISP, inbound NAT broke with spoofing protection enabled

L4 Transporter

Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured. 

 

When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but that made no difference.   In the end I had to disable 'Spoofed IP address' from the outside zone protection profile to get it working again.

 

Does anyone know why you can't have PBF, inbound NAT's and spoof protection enabled?  

6 REPLIES 6

L3 Networker

Hello,

Have you tried enforce symetric return option from pbf policy Forwarding section.

*Another idea, assign nat ip to a loopback interface than use it for nat. 

UP

Do you mean enforce it on the PBF for the dual internet links?  PAN documentation is so bad and confusing I am not even sure who they got managing it, a trained monkey? 

Cyber Elite
Cyber Elite

Hi @drewdown ,

 

Could you tell me why you are using PBF?  Most dual ISP designs can be handled by routing.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Pray tell how its handled by routing without running BGP between our multitude of carriers?  And what is PBF if not routing? 

 

Besides here is one of many PA articles outlining how to configure DUAL ISPs with failover using PBF: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/use-case-pb...

 

Cyber Elite
Cyber Elite

Hi @drewdown ,

 

Ahh!  I see.  You are using PBF because the article which you posted said to use it.  My bad.  I use this method with my customers -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO.  It works well.  It uses route metrics for forwarding and not PBF.  It's more straightforward.  I am curious if removing PBF may remove the NAT issue.

 

While PBF is policy routing, I prefer a route table lookup.  That's what I meant by routing.  The nice thing about using the route table is that you can also use both ISPs if you want.  You would need to enable ECMP in your VR.  I would check the Symmetric Return box.  I had one customer where load balancing broke voice, but changing the ECMP method to IP Hash fixed the issue.

 

With regard to path monitoring, I like to use 2 Internet IP addresses so that one down host doesn't take down the circuit.  I ran into one customer (not my setup) that was monitoring 8.8.8.8 for HA path monitoring, and the host went down causing a firewall failover!

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hell yeah brother!  Another PA article yet giving another way to skin a cat.  I will take a look and see if it works better because I absolutely hate PBF with a passion and all the nuances (breaking) that comes along with it.  

 

I guess this just goes back to PA articles and so many offering so many different solutions.  I mean I do it one way and you do it a completely different way but if I google PA dual ISPs the first link is using PBF.   Also PBF monitors the link as well to an external IP it just requires that you have all the networks defined that you want to be applied to that PBF.  It then breaks inbound NAT as you can see and causes issue with VPN traffic hairpinning to the internet and to other VPN tunnels.  

  • 3777 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!