Scenario is dual-ISP scenario using PBF to connect via primary ISP but switch to secondary if primary goes down.
In a Policy Based Forwarding rule in the Monitor section of the Forwarding tab, there are 2 checkboxes: one for Monitoring itself, and the second one labelled "Disable this rule if nexthop/monitor ip is unreachable".
Firstly, what is the point of the 2nd "Disable this rule" checkbox? Why would someone leave it unchecked? If we are monitoring connectivity to an external address, and we can't reach it over the egress interface, would we not always want the PBF rule to disable? What scenario would we not want to do this?
Secondly, if a monitor IP address is added, does the Palo Alto just check connectivity to that address, or also to the next-hop as well? The checkbox label says "disable this rule if nexthop/monitor is unreachable" which is unclear to me.
PBF rule is not applied when the monitoring host is unreachable. If no IP address is specified for monitoring, then the next hop IP is monitored. When a PBF rule is configured with monitoring enabled, the egress interface send keepalives to monitoring IP or next hop.
So you asked two questions. I'll try and be brief on both:
Hope that helps.
In dual-ISP scenario without running BGP, I always advise to a customer to add host-based static route to ISP serial IP. This way, no matter what platform/feature/check-box is used, my monitor packet would reach next hop via right egress interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!