Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured.
When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but that made no difference. In the end I had to disable 'Spoofed IP address' from the outside zone protection profile to get it working again.
Does anyone know why you can't have PBF, inbound NAT's and spoof protection enabled?
Hi @drewdown ,
Ahh! I see. You are using PBF because the article which you posted said to use it. My bad. I use this method with my customers -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO. It works well. It uses route metrics for forwarding and not PBF. It's more straightforward. I am curious if removing PBF may remove the NAT issue.
While PBF is policy routing, I prefer a route table lookup. That's what I meant by routing. The nice thing about using the route table is that you can also use both ISPs if you want. You would need to enable ECMP in your VR. I would check the Symmetric Return box. I had one customer where load balancing broke voice, but changing the ECMP method to IP Hash fixed the issue.
With regard to path monitoring, I like to use 2 Internet IP addresses so that one down host doesn't take down the circuit. I ran into one customer (not my setup) that was monitoring 220.127.116.11 for HA path monitoring, and the host went down causing a firewall failover!
Hell yeah brother! Another PA article yet giving another way to skin a cat. I will take a look and see if it works better because I absolutely hate PBF with a passion and all the nuances (breaking) that comes along with it.
I guess this just goes back to PA articles and so many offering so many different solutions. I mean I do it one way and you do it a completely different way but if I google PA dual ISPs the first link is using PBF. Also PBF monitors the link as well to an external IP it just requires that you have all the networks defined that you want to be applied to that PBF. It then breaks inbound NAT as you can see and causes issue with VPN traffic hairpinning to the internet and to other VPN tunnels.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!