11-14-2014 03:52 PM
Can this be accomplished without something like a Performance Routing service or hybrid WAN systems a couple companies offer? Is it a roadmap feature of PAN-OS PBF? PBF seems to be one of few things that do NOT support Regions.
I'd like to PBF my connections to Country A through a different path than directly out my Country B firewall to achieve lower latency connections on MPLS. I'm trying to have fewer devices in my network vs adding more. 
11-14-2014 03:55 PM
Hi bspilde
I don't think it is currently possible to achieve this. There is a feature request for this :
FR ID: 1497
You can get in touch with your SE to vote for the above feature request.
Hope it helps !
11-14-2014 04:03 PM
Here is a quote from the Help Guide on PAN-OS 6.1 in the PBF section that clearly specifies that Regions is an option for the Destination:
Destination/Application/Service Tab
Use the Destination/Application/Service tab to define the destination settings that will applied to traffic that matches the forwarding rule.
Click Add to add destination addresses, address groups, or regions (default is any). Select from the drop-down list, or click the Address,Address Group, :smileyshocked:or Regions:smileyshocked: link at the bottom of the drop-down list, and specify the settings. |
Full Section::smileyshocked:
Policy-Based Forwarding Policies
Policies > Policy Based Forwarding
Normally, when traffic enters the firewall, the ingress interface virtual router dictates the route that determines the outgoing interface and destination security zone based on destination IP address. With policy-based forwarding (PBF), you can specify other information to determine the outgoing interface, including source zone, source address, source user, destination address, destination application, and destination service. The initial session on a given destination IP address and port that is associated with an application will not match an application-specific rule and will be forwarded according to subsequent PBF rules (that do not specify an application) or the virtual router’s forwarding table. All subsequent sessions on that destination IP address and port for the same application will match an application-specific rule. To ensure forwarding through PBF rules, application-specific rules are not recommended.
When necessary, PBF rules can be used to force traffic through an additional virtual system using the Forward-to-VSYS forwarding action. In this case, it is necessary to define an additional PBF rule that will forward the packet from the destination virtual system out through a particular egress interface on the firewall.
For configuration guidelines and information on other policy types, refer to “Policies and Security Profiles”.
For information on defining policies on Panorama, see “Defining Policies on Panorama”.
The following tables describe the policy-based forwarding settings:
• |
• |
• |
• |
Enter a name to identify the rule (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Only the name is required. | |
If you need to tag the policy, click Add to specify the tag. |
Use the Source tab to define the source zone or source address that defines the incoming source traffic to which the forwarding policy will be applied
To choose source zones (default is any), click Add and select from the drop-down list. To define new zones, refer to “Defining Security Zones”. Note: Only Layer 3 type zones are supported for policy-based forwarding. | |||||||||||
Click Add to add source addresses, address groups, or regions (default is any). Select from the drop-down list, or click the Address, Address Group, or Regions link at the bottom of the drop-down list, and specify the settings. | |||||||||||
Click Add to choose the source users or groups of users subject to the policy. The following source user types are supported:
|
Destination/Application/Service Tab
Use the Destination/Application/Service tab to define the destination settings that will applied to traffic that matches the forwarding rule.
Click Add to add destination addresses, address groups, or regions (default is any). Select from the drop-down list, or click the Address,Address Group, or Regions link at the bottom of the drop-down list, and specify the settings. |
11-14-2014 04:19 PM
Hi Bspilde,
Its correct, regions are not supported in PBF rules. Kindly follow FR ID: 1497.
I can see "Region" as source or destination in configuration guide. But it would be just a typo or error. Kindly ignore it.
Regards,
Hardik Shah
01-14-2020 03:50 AM
A better question would be, why CAN'T PBF be formed around destination region. It would be useful to be able to route some internet destinations one way, and others another way.
It seems to me it would be minimally difficult for the Palo Team to permit this, since they already have RBLs full of regional addressing by country anyway.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
