Policy Based Forwading Capability Question

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy Based Forwading Capability Question

L1 Bithead

Hello All, Was just wondering if anyone may be able to help with this our question.


Please see the attached High Level Diagram. Both Firewalls are PA 3020's with the full licence set enabled. We need to replace the ISA server which is not providing any other functions than forwarding the traffic down one of the 3 paths in the diagram, unfortunately we need to maintain this capability owing to some historic complexities with certain applications in our infrastructure not working through our proxy or via the cloud proxy or vice versa.


Data Flows.jpg

I know the PA can do Policy based forwarding which would suffice for the passage of traffic either via the Local Proxy or directly out via the ISP router. Everything I have read would suggest that the PBF is more of a routing level thing which requires an interface in the same subnet within the PA.


Obviously this is not possible for the cloud hosted proxy, if we were to set the egress interface and just put the next hop address as the cloud proxy would that function. My inclination is that the next hop needs to be exactly that but just looking for confirmation before I buy another solution. Thanks in Advance


Cyber Elite
Cyber Elite

So the PAN interface doesnt need to be on the same vlan segment, it should just need to have the traffic routed to it. The PBF then should be setup by source and then flow out a destination interface on the PAN. The interface shouldnt need to be on the same segment as long as the way the packets flow out they get sent towards their intended destination.


I dont think I did a good job explaining this. Here is the link to a PBF doc that does a good job explaing it.





Hi Otakar,


Thanks for the reply, i think i may not have explained this fully, we are trying to replace the ISA server whihc at the moment based on policy directs the traffic to the cloud proxy by ammending the packet header and its this function i am wondering whether the PA can reproduce to allow us to remove the ISA.


I think the answer here is it depends on what the ISA server is currently doing to detect/authorize traffic. The PAN can do somethings but not everything. It would be helpful if you could explain, without give us the keys to the kingdom, what actions/inspections the ISA server is currently performing. I think based on that we could determine if the PAN can replace the ISA.



Hi WesNeary...Are your users explicitly proxied (browser set to use proxy server) to the ISA server, and the ISA server is using proxy chaining to connect the cloud service?  In other words, the ISA server is configured to use an upstream proxy server = cloud service.

Hi Rmonvon


You are correct clients have the ISA set as there browser proxy this then based on its rulesets forwards the traffic to either our onsite proxy, the upstream proxy or directly to the internet.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!