PBF Rule breaks internal network access when connected to VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PBF Rule breaks internal network access when connected to VPN

L0 Member

So, we have 2 ISPs and recently made a PBF rule that takes source, user and destination 'any' to route to ISP 1. Everything works and we can see traffic flowing accordingly. However, When 1 of our users connected via VPN (global protect) which is setup to connect to ISP 1, they can connect but were unable to access any of the internal network resources such as remote desktop into their workstation. Then we added negate 10.0.0.0/8 from Destination and bam, everything is working. I need to understand why this works? Can someone explain what is happening when the negate option is used? Our internal network is in 10.0.0.0/8.

1 accepted solution

Accepted Solutions

L3 Networker

Hi Guadalupe,

 

For VPN users the firewall is the default gateway. In a normal configuration without PBF the VPN users will rely on routing configured on the firewall.

 

If you configure PBF to destination 'Any' without excluding RFC1918 addresses 10.n.n.n 192.168.n.n 172.16.-31.

 

a)  First that overrides that routing table for src networks

 

b)  second because the firewall is default-gateway for VPN users & the PBF rule has destination of 'Any' will act as the only route & default-route, and VPN users will have all their traffic including 10/8 routed via 0.0.0.0/0 ISP 1 using PBF rule.

 

c) If PBF did not break you normal office traffic, the firewall is not acting as default gateway for your office users, and their is another L3 device that the traffic will use before reaching the Firewall.

 

I personally exclude/negate RFC1918 address when using multiple ISP's.  in your scenario the negate option tells PBF route for everything using PBF, Except for 10.0.0.0/8 network. For Network 10.0.0.0/8 use the normal routing table configured on the firewall and for everything else rely on the PBF rule.

 

 

View solution in original post

1 REPLY 1

L3 Networker

Hi Guadalupe,

 

For VPN users the firewall is the default gateway. In a normal configuration without PBF the VPN users will rely on routing configured on the firewall.

 

If you configure PBF to destination 'Any' without excluding RFC1918 addresses 10.n.n.n 192.168.n.n 172.16.-31.

 

a)  First that overrides that routing table for src networks

 

b)  second because the firewall is default-gateway for VPN users & the PBF rule has destination of 'Any' will act as the only route & default-route, and VPN users will have all their traffic including 10/8 routed via 0.0.0.0/0 ISP 1 using PBF rule.

 

c) If PBF did not break you normal office traffic, the firewall is not acting as default gateway for your office users, and their is another L3 device that the traffic will use before reaching the Firewall.

 

I personally exclude/negate RFC1918 address when using multiple ISP's.  in your scenario the negate option tells PBF route for everything using PBF, Except for 10.0.0.0/8 network. For Network 10.0.0.0/8 use the normal routing table configured on the firewall and for everything else rely on the PBF rule.

 

 

  • 1 accepted solution
  • 712 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!