PBR forwarding does not work

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PBR forwarding does not work

L3 Networker

For the first time I configured a Palo Alto firewall.

I have created three zones each connected with a specific interface:

INTERN

EXTERN

DMZ

 

For each zone I created a virtuel router each configured with static routes :

Intern:

DMZ -> Interface DMZ

Dmz:

EXTERN -> Interface EXTERN

INTERN -> Interface INTERN

Extern

0.0.0.0 0.0.0.0 -> IP ISP Router

DMZ -> Interface DMZ

 

I connected PC's on each interface with the correct IP settings. Each PC can ping its own default gateway on the firewall but they can't ping each other. In the policy settings I created a rule that everuthing is allowed between the zones.

 

What can be the problem?

 

 

1 accepted solution

Accepted Solutions

@ZEBIT

there are a few scenarios: you can use multiple VR if you need to segregate interfaces from eachother: they will not be able to reach eachother unless you add a route to specifically allow it (all interfaces on the same vr can automatically 'route' to eachother)

 

PBF can be used to make a preferred route on top of normal routing eg. if you have 2 ISP, one leased line and one DSL, you could create a PBF to route non-important web-browsing over the DSL line. If the ISP were to fail, routing would fall back to your static routes and web-browsing would go over the leased line

 

PBF and multiple VR's don't necessarily need to go hand in hand, the dual ISP solution does not require 2 VRs, but this scenario does:

if you need to set up redundant VPN tunnels, you will need to have 2 static route (eg default gateways) working at the same time so the tunnels can remain 'up'. PBF can then be used to direct traffic to one VR or the other depending on your preferred conditions

 

 

hope this makes sense (did you check out the PBF article i provided above ?

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

L3 Networker

The routing seems to work better after creating some policies.

But the clients still doesn't respond. In the traffic monitor I always get Session End Reason: aged out.

I need to create a PBF rule that does not PBR the traffic between INTERN and DMZ but I don't understand why.

L7 Applicator

With the virtual routers you will need a route in each of the virtual routers to the other VR subnets that need to be reached.  so the internal VR needs a default route to external vr for internet access.  And a route to the dmz vr for that subnet.

 

The external vr needs a route to internal subnet via internal vr and to dmz subnet for the dmz vr.

 

the DMZ vr needs a default route to the external vr for internet access and to the internal subnet via the internal vr.

 

No PBF is needed just the routes.

 

Now the traffic you want to allow require security policies to permit the traffic from zone to zone based on who initiates the tcp session.

 

Finally, you need to create NAT policies also from zone to zone based on tcp initiation for the source nat for internet access and for any inbound DMZ destination nat traffic.

 

Why are you puting every zone in a virtual router?

None of that routing configuration is needed if all the interfaces are just in the same router to begin with.  Generally the only reason to separate virtual routers is if you have dual ISP and need to have two active default routes at the same time so we need two routing tables to accomplish this.  Your setup seems pretty standard and would be much simpler in just a single base router setup.

 

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I agree with @pulukas: your configuration would be much simpler if you set all interfaces in the same virtual router, then you'd only need security policies and NAT to make everyhting work

 

please take a look at this article which may help you on your way:  Getting Started: Layer 3, NAT, and DHCP

 

and this one on PBF: Getting Started: Policy Based Forwarding

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@ZEBIT,

I'm just going to second what @pulukas has already stated. From what you've described, there isn't really any reason to have multiple VRs. TO keep your configuration looking a bit more standard I would simply combine all of the zones into one virtual router, if you continue to keep everything the way you are doing you'll run into configuration issues. To add to that a little bit, almost every guide that you read going forward is centered around one Virtual Router configuration, not multiple. Guides may not work for you as you intend, support may not be as able to help you do to your configuration, and most of the Live community is going to just assume you have one VR. 

After some searching I got everything to work with my configuration.

But when and why you would use multiple virtual routers and PBR?

As mentioned here it is only necessary if you use multiple ISP.

@ZEBIT

there are a few scenarios: you can use multiple VR if you need to segregate interfaces from eachother: they will not be able to reach eachother unless you add a route to specifically allow it (all interfaces on the same vr can automatically 'route' to eachother)

 

PBF can be used to make a preferred route on top of normal routing eg. if you have 2 ISP, one leased line and one DSL, you could create a PBF to route non-important web-browsing over the DSL line. If the ISP were to fail, routing would fall back to your static routes and web-browsing would go over the leased line

 

PBF and multiple VR's don't necessarily need to go hand in hand, the dual ISP solution does not require 2 VRs, but this scenario does:

if you need to set up redundant VPN tunnels, you will need to have 2 static route (eg default gateways) working at the same time so the tunnels can remain 'up'. PBF can then be used to direct traffic to one VR or the other depending on your preferred conditions

 

 

hope this makes sense (did you check out the PBF article i provided above ?

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4415 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!