This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Policy Based Forwarding is not working for Secondary ISP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Policy Based Forwarding is not working for Secondary ISP

Anees10
L1 Bithead

‎10-26-2022 12:32 AM - edited ‎10-26-2022 12:33 AM

Drawing1.png

We recently added a new Internet link to our PA-3020. We want only one server (10.1.12.130) to use it, so we configured the new internet link interface as layer-3 , assigned it a static IP, created a PBF policy that basically specifies the zone (internal) and the source IP (10.1.12.130) and the destination is any (negate 10.0.0.0/8) and the action is to forward traffic to egress IF 1/10 with next hop of 1.1.1.1

We also created a NAT rule : From internal zone to external zone, source IF 1/10 and source translation is dynamic-ip-and-port.

Finally, we created a security policy to allow traffic from that source to the internet.

We have one virtual route for the old ISP. It's my understanding that no VR is required when using PBF as no failover or redundancy is required between the two links.

 

The source server doesn't have internet connectivity. FW's Software Version is 9.1.14-h4. We don't use Panorama to manage it.

 

I found a similar KB for reference : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRzCAK#:~:text=Policy%20b...

 

 

 

 

I spent countless hours with PA engineers and they confirmed that the setup looks good, but for some reason they couldn't figure out why this setup is not working.

any thoughts? Thanks in advance.

 

Anees10_0-1666768952880.png

 

Anees10_3-1666769066909.png

 

 

Anees10_5-1666769175304.png

 

Anees10_6-1666769225950.png

 

 

0 Likes Likes
2 REPLIES 2

rmfalconer
L5 Sessionator

‎10-26-2022 07:33 AM

Does the traffic from the single server egress out ISP 1 even with the PBF in place? 

Do the logs show anything interesting with rule hits, allow/deny, etc?

Any packet captures on any interfaces to track where the traffic is going?

0 Likes Likes

Anees10
L1 Bithead
In response to rmfalconer

‎10-26-2022 07:48 AM

Thanks for your reply. 

1. The single server doesn't have internet connectivity. It can still talk to the other servers on the LAN but it doesn't have internet connectivity.

2. Captures show that ARP requests are incomplete. This could be due to the fact that there is no VR configured for ISP2.

 

>show arp all
ethernet1/10 147.129.178.129 (incomplete) ethernet1/10 i 1

>show counter global filter packet-filter yes delta yes severity drop
flow_fwd_l3_noarp 7 0 drop flow forward Packets dropped: no ARP

0 Likes Likes
  • 1263 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks