Policy Based Forwarding is not working for Secondary ISP

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy Based Forwarding is not working for Secondary ISP

L1 Bithead


We recently added a new Internet link to our PA-3020. We want only one server ( to use it, so we configured the new internet link interface as layer-3 , assigned it a static IP, created a PBF policy that basically specifies the zone (internal) and the source IP ( and the destination is any (negate and the action is to forward traffic to egress IF 1/10 with next hop of

We also created a NAT rule : From internal zone to external zone, source IF 1/10 and source translation is dynamic-ip-and-port.

Finally, we created a security policy to allow traffic from that source to the internet.

We have one virtual route for the old ISP. It's my understanding that no VR is required when using PBF as no failover or redundancy is required between the two links.


The source server doesn't have internet connectivity. FW's Software Version is 9.1.14-h4. We don't use Panorama to manage it.


I found a similar KB for reference : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRzCAK#:~:text=Policy%20b...





I spent countless hours with PA engineers and they confirmed that the setup looks good, but for some reason they couldn't figure out why this setup is not working.

any thoughts? Thanks in advance.













L4 Transporter

Does the traffic from the single server egress out ISP 1 even with the PBF in place? 

Do the logs show anything interesting with rule hits, allow/deny, etc?

Any packet captures on any interfaces to track where the traffic is going?

Thanks for your reply. 

1. The single server doesn't have internet connectivity. It can still talk to the other servers on the LAN but it doesn't have internet connectivity.

2. Captures show that ARP requests are incomplete. This could be due to the fact that there is no VR configured for ISP2.


>show arp all
ethernet1/10 (incomplete) ethernet1/10 i 1

>show counter global filter packet-filter yes delta yes severity drop
flow_fwd_l3_noarp 7 0 drop flow forward Packets dropped: no ARP

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!