01-14-2019 01:01 AM
Hello everyone,
New here and fighting with my new PA-820.
I have 2 ISP's and I want to make the best use possible of those two.
So I created a PBF which reroutes HTTP and HTTPS traffic over the 2nd modem.
Now I have speeds over 350mbit/s for clients and not bothering other important server data which I have only 40mbit/s for.
So this is all working fine! Until I use GP for VPN.
The HTTP and HTTPS reroute works fine though, but the internal web applications over port 80 and 443 are rerouted aswell.
So every internal webserver will time out. Age out and and is incomplete.
But for example a webserver with a different port (like synology port 5000) will work fine.
Now GP is more important, so i turned off the PBF and everything works now...
But I really want to use our wide bandwith instead of a very narrow one.
I've tried everything from tunnel traffic no-pbf rule to DNAT's to stop GP from using the PBF rule.
But maybe I'm overlooking something...
Can someone point me in the right direction?
01-14-2019 07:04 AM
That didn't work... but the session browser told me a critical thing.
The data was not correctly sent back..
So after thinking with two people, we decided to create this:
PBF1 - VPN zone to Trust - any any - No PBF
PBF2 - Trust to VPN IP Pool - any any - No PBF
PBF3 - Trust to Any - Forward Application [Web-Browsing + SSL] to I/F Eth1/1.400, next hop Router Gateway with Monitor
Now everything works as expected!
Thank you for your precious time 🙂
01-14-2019 01:07 AM
Hey @Joukevanduijsen
Can you share a screenshot of your PBF policy when it was at the undesired state?
Thanks,
Luke.
01-14-2019 01:23 AM - edited 01-14-2019 01:27 AM
Sure! Here it is!
As you can see, i've already tried to Negate the VPN pool, but the GP is also directly hooked to trust-zone.
The last IP you see is monitoring, if this IP is not reachable the PBF rule is deactivated.
01-14-2019 01:32 AM
Your PBF rule should only really be applied to destination zone Untrust, that way it will only activate for internet facing traffic where NAT via the two ISPs is actually required. Then, when you try to visit some internal server in destination zone Trust or DMZ the PBF policy won't even be applied.
What I have done in the past:
Source Zone: Trust
Source IP: Any
Destination IP: All RFC 1918 addresses (negate option checked)
Destination Zone: Untrust
01-14-2019 01:52 AM
Ahh! Thank you! I'm going to try that now
01-14-2019 07:04 AM
That didn't work... but the session browser told me a critical thing.
The data was not correctly sent back..
So after thinking with two people, we decided to create this:
PBF1 - VPN zone to Trust - any any - No PBF
PBF2 - Trust to VPN IP Pool - any any - No PBF
PBF3 - Trust to Any - Forward Application [Web-Browsing + SSL] to I/F Eth1/1.400, next hop Router Gateway with Monitor
Now everything works as expected!
Thank you for your precious time 🙂
08-18-2021 10:04 PM
Thank you, Joukevanduijsen!
I was having this issue as well but due to different circumstances. I have a Appliansys Caching Server. All 80 & 443 traffic is routed to that device via a PBF rule. Everything works great except when I'm connected via GlobalProtect VPN. When I'm connected via GP, I can access any device in my network that uses a port other than 80 & 443. When I disable the PBF rule, everything works fine. I've been working with support on this for two weeks without any progress. Your post solved this for me. I just wanted to reply to thank you and confirm this does work!
Cheers
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
