- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-20-2023 02:30 PM
So, we have 2 ISPs and recently made a PBF rule that takes source, user and destination 'any' to route to ISP 1. Everything works and we can see traffic flowing accordingly. However, When 1 of our users connected via VPN (global protect) which is setup to connect to ISP 1, they can connect but were unable to access any of the internal network resources such as remote desktop into their workstation. Then we added negate 10.0.0.0/8 from Destination and bam, everything is working. I need to understand why this works? Can someone explain what is happening when the negate option is used? Our internal network is in 10.0.0.0/8.
04-21-2023 06:01 PM - edited 04-21-2023 06:03 PM
Hi Guadalupe,
For VPN users the firewall is the default gateway. In a normal configuration without PBF the VPN users will rely on routing configured on the firewall.
If you configure PBF to destination 'Any' without excluding RFC1918 addresses 10.n.n.n 192.168.n.n 172.16.-31.
a) First that overrides that routing table for src networks
b) second because the firewall is default-gateway for VPN users & the PBF rule has destination of 'Any' will act as the only route & default-route, and VPN users will have all their traffic including 10/8 routed via 0.0.0.0/0 ISP 1 using PBF rule.
c) If PBF did not break you normal office traffic, the firewall is not acting as default gateway for your office users, and their is another L3 device that the traffic will use before reaching the Firewall.
I personally exclude/negate RFC1918 address when using multiple ISP's. in your scenario the negate option tells PBF route for everything using PBF, Except for 10.0.0.0/8 network. For Network 10.0.0.0/8 use the normal routing table configured on the firewall and for everything else rely on the PBF rule.
04-21-2023 06:01 PM - edited 04-21-2023 06:03 PM
Hi Guadalupe,
For VPN users the firewall is the default gateway. In a normal configuration without PBF the VPN users will rely on routing configured on the firewall.
If you configure PBF to destination 'Any' without excluding RFC1918 addresses 10.n.n.n 192.168.n.n 172.16.-31.
a) First that overrides that routing table for src networks
b) second because the firewall is default-gateway for VPN users & the PBF rule has destination of 'Any' will act as the only route & default-route, and VPN users will have all their traffic including 10/8 routed via 0.0.0.0/0 ISP 1 using PBF rule.
c) If PBF did not break you normal office traffic, the firewall is not acting as default gateway for your office users, and their is another L3 device that the traffic will use before reaching the Firewall.
I personally exclude/negate RFC1918 address when using multiple ISP's. in your scenario the negate option tells PBF route for everything using PBF, Except for 10.0.0.0/8 network. For Network 10.0.0.0/8 use the normal routing table configured on the firewall and for everything else rely on the PBF rule.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!