PBF for incoming traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PBF for incoming traffic

L1 Bithead

Hello everyone,

I've a setup on a PA-820 cluster with 3 ISP connections.

Every connection has its own zone (for clarity WAN-1, WAN-2 and WAN-3) and the default route in the virtual router is for WAN-2.

I need to publish some services from my DMZ subnet on the WAN-1 but if I try to configure the nat and security policy i can't see any sort of traffic coming from Internet because of asymmetric routing.

The packet is entering from the interface on WAN-1 zone but the response packet is going through the default route to WAN-2.

I try to configure a PBF policy (following this article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK) for the WAN-1 interface with forward to egress interface of DMZ and force return to WAN-1 isp router but is not working at all.

In the traffic monitor I can't see nothing and if I make a packet capture on the interface I see a lot of tcp retransmissions.

Any idea to solve the problem and to configure the pbf correctly?

Regards

 

Michele

1 accepted solution

Accepted Solutions

L1 Bithead

Hi everyone,

finally I found the resolution to my problem.

I find out that on my zones WAN-1,WAN-2,WAN-3 there was a zone protection policy and the option "IP Spoofed Address" was enabled.

I create a new zone protection specific for the WAN-1 zone disabling the mentioned option and suddenly everything starts working as expected.

I already have a PBF for outgoing traffic from the DMZ to the WAN-1 for returning traffic as suggested by Tom.

Thanks to everyone

 

Michele

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi @MicheleCane ,

 

If you enabled ECMP with Symmetric Return traffic coming in a WAN interface will go out the same interface.  If you want all traffic to continue to go out WAN-2, then you could use a Method of Weighted Round Robin with WAN-2 configured for 100 and WAN-1 and WAN-3 configured for 0.  You will need to add default routes for WAN-1 and WAN-3, but the WRR should force all outbound traffic out WAN-2.  I have NOT tested this in a lab.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Michele,

 

Did you find the solution to you're issue?

 

Regards

Not yet, I try to find a solution using pbf because it's a production environment and I'm a little scary of making changes in the virtual router

Hi Michele,

 

what I was thinking is configuring the nat with bidirectional, so whatever the service your publishing using wan 1 or 2 for those NATs you can enable bidirectional, so that they follow same session on which interface traffic is arriving

 

just a thought.

 

Regards

 

Cyber Elite
Cyber Elite

Hi @MicheleCane ,

 

For those services on DMZ that you want to publish on WAN-1, do you want all traffic from those DMZ servers to egress WAN-1?  If so, create a simple PBF rule that forwards all traffic from that source IP to the WAN-1 next hop.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi everyone,

finally I found the resolution to my problem.

I find out that on my zones WAN-1,WAN-2,WAN-3 there was a zone protection policy and the option "IP Spoofed Address" was enabled.

I create a new zone protection specific for the WAN-1 zone disabling the mentioned option and suddenly everything starts working as expected.

I already have a PBF for outgoing traffic from the DMZ to the WAN-1 for returning traffic as suggested by Tom.

Thanks to everyone

 

Michele

  • 1 accepted solution
  • 2163 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!