Policy Based Forwarding (PBF) problem

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy Based Forwarding (PBF) problem

L1 Bithead

I’ve got problem with policy based forwarding. I have 2 ISP - traffic to the 1st ISP is forwarded by pbf, to the 2nd – via default route. PBF rule monitors the remote target’s IP and availability of nexthop address. My question is: how the pbf is checking availability of the nexthop address. I have sniffer open on nexthop address host but I can’t find any specific traffic.

In the system log I’ve got many entries like this: “Vsys 1 PBF rule pbf nexthop is DOWN”. How can I debug this ?

While the pbf status is DOWN I can ping nexthop address from adjacent interface of Palo Alto.


L4 Transporter

Should ping from the ISP A interface to the remote network. Are you monitoring the next hop? Also verify that you do not see any drops in the traffic logs for the IP you are monitoring. (denyall may drop this traffic).


Not applicable

I have the same problem.

The PBF rule status says that the NextHop is Down but I'm sure it's up and I can ping it via source ping from the device.

Did someone manage to solve this issue?

It look's like this issue is software related.

After updating to software version 4.1.4. everything worked fine.

L4 Transporter

I have the same problem.  I have a deny all at the bottom of the security rule but Untrust to Untrust.  The PBF next hop says it's down and the rule disables the route but the next hop is up.  I am on 5.0.1 and this still occurs frequently, every few hours.  DOES ANYONE KNOW HOW PBF CHECKS THE NEXT HOP AND WHY IT SAYS DOWN WHEN IT"S UP??

L4 Transporter

Can anyone from PAN comment this has been recurring for a few days.  I have opened tickets but we and haven't got to a root cause.  How does the Egress monitor the next hop as up? Would a static ARP help? There is no pings in packet capture, how does it know this is up or down? It's up but shows down.  Does it not come back up after it goes down?

L4 Transporter

Hi All;  Finally figured out what it is.  So the PBF rule does monitor from the Egress interface configured in the Rule.  It will come back up if the next hop is up.  The monitor uses PING.  My problem was that I was trying to fully mesh active-passive firewalls and connected hubs to both uplinks to from the firewalls to a single uplink for the ISP that was having the problem.  When I directly connect the ISP directly to the PAN device the pings stay normal.  Time to replace some hubs.

You also want to put on "Enforce Symmetric Return" IF you are running dual IPSec tunnels over the PBF the return traffic has to go out the interface it came in on, or the tunnel will stay up but renegotiate constantly.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!