Scenario is dual-ISP scenario using PBF to connect via primary ISP but switch to secondary if primary goes down.
In a Policy Based Forwarding rule in the Monitor section of the Forwarding tab, there are 2 checkboxes: one for Monitoring itself, and the second one labelled "Disable this rule if nexthop/monitor ip is unreachable".
Firstly, what is the point of the 2nd "Disable this rule" checkbox? Why would someone leave it unchecked? If we are monitoring connectivity to an external address, and we can't reach it over the egress interface, would we not always want the PBF rule to disable? What scenario would we not want to do this?
Secondly, if a monitor IP address is added, does the Palo Alto just check connectivity to that address, or also to the next-hop as well? The checkbox label says "disable this rule if nexthop/monitor is unreachable" which is unclear to me.
For the first point, if you the objective of the monitoring is to fallback then the Disable option should be checked. However if there is no alternative path, and the objectective is just to detect path failure, then the Disable option should not be checked.
For the second point if there is no monitor "IP Address", it will monitor on the "Next Hop". However if there is monitor IP address it will monitor on it instead of the Next Hop. No need to monitor the next hop separetly as it will be used on the way to the "IP Address" anyways.
Hope this make sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!