PBF Monitor Target

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

PBF Monitor Target

L2 Linker

Scenario is dual-ISP scenario using PBF to connect via primary ISP but switch to secondary if primary goes down.


In a Policy Based Forwarding rule in the Monitor section of the Forwarding tab, there are 2 checkboxes: one for Monitoring itself, and the second one labelled "Disable this rule if nexthop/monitor ip is unreachable".


Firstly, what is the point of the 2nd "Disable this rule" checkbox? Why would someone leave it unchecked? If we are monitoring connectivity to an external address, and we can't reach it over the egress interface, would we not always want the PBF rule to disable? What scenario would we not want to do this?


Secondly, if a monitor IP address is added, does the Palo Alto just check connectivity to that address, or also to the next-hop as well? The checkbox label says "disable this rule if nexthop/monitor is unreachable" which is unclear to me.



Cyber Elite
Cyber Elite



PBF rule is not applied when the monitoring host is unreachable. If no IP address is specified for monitoring,  then the next hop IP is monitored. When a PBF rule is configured with monitoring enabled,  the egress interface send keepalives to monitoring IP or next hop.


Cyber Elite
Cyber Elite


So you asked two questions. I'll try and be brief on both:

  1. I really dont have an answer for this. There could be a use case, but cant think of one at the moment.
  2. It will only monitor the IP you specifiy, regardless if its next hop or further down the line.

Hope that helps.

L0 Member

In dual-ISP scenario without running BGP, I always advise to a customer to add host-based static route to ISP serial IP. This way, no matter what  platform/feature/check-box is used, my monitor packet would reach next hop via right egress interface. 

L0 Member

Hi Tom,
For the first point, if you the objective of the monitoring is to fallback then the Disable option should be checked. However if there is no alternative path, and the objectective is just to detect path failure, then the Disable option should not be checked.

For the second point if there is no monitor "IP Address", it will monitor on the "Next Hop". However if there is monitor IP address it will monitor on it instead of the Next Hop. No need to monitor the next hop separetly as it will be used on the way to the "IP Address" anyways.
Hope this make sense.

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!