06-22-2017 10:53 AM
Hello,
I am not quite sure about the difference between rules created under 'Policy based forwarding' and 'Security' under Policies tab.
Could someone please help understand how are the rules different that are created under security and Policy based forwarding?
Thanks,
PS
06-22-2017 02:01 PM
In the first example, "forward guest wireless traffic" is a single PBF rule, where the 2nd rule (send everything else via MPLS) happens in the virtual router / default route. I'll tweak the example to be a little more clear:
PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"
Routing: "Send all traffic through the default route (MPLS circuit)"
My mistake for saying "all corporate traffic" - I meant "all traffic" that didn't match the PBF rule. Hope that clears it up.
06-22-2017 02:08 PM
You would use routing because it would state something along the lines of all traffic should go out the MPLS circut; then with PBF you specify with guest wireless traffic goes out the ISP gear.
Further example would be if I had a route that stated 10.191.0.0/16 needs to go to a specific circuit.
Say that I have my GIS users on 10.191.80.0/25 and for a undetermined amount of time I need to route them through a different circuit do to a potential litigation hold (sigh); I would find that easier to do with a PBF which is easy to create and remove on the fly rather than messing around with my routing table and breaking subnets out of my 10.191.0.0/16 range.
06-22-2017 11:44 AM
PBF rules are checked before routing table and if any match then routing table is skipped.
So Security policies are to permit or deny traffic and PBF rules are used to decide where traffic should go to.
06-22-2017 12:06 PM
ok, now i understand the difference between PBF and security rues but what is the need for PBF?
Is the Forwarding table alone not sufficient enough?
Basically, why do we need PBF if we already have routing tables?
Thanks,
PS
06-22-2017 12:30 PM
Routing is based on "destination". To get to y.y.y.y send to next-hop z.z.z.z
Policy-based Forwarding adds Source IP address to the routing decision. This allows you to make routing decisions based on where the traffic is coming from - not just based on the destination.
One example:
PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"
Routing: "Send all corporate traffic through the expensive MPLS circuit"
Another example:
PBF Rule 1: "Forward half of my users via ISP1"
PBF Rule 2: "Forward the other half of my users via ISP2"
PBF Rule 3: "Forward all users via ISP1" (in case ISP2 is down)
PBF Rule 4: "Forward all users via ISP2" (in case ISP1 is down)
06-22-2017 01:41 PM
There are quite a few use cases for PBF that would dictate that certain traffic is sent to a certain destination. PBF lets you specify an application, which wouldn't be possible if you are using just the routing table.
06-22-2017 01:55 PM
from this example:
One example:
PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"
Routing: "Send all corporate traffic through the expensive MPLS circuit"
I do not feel any real difference between PBF and routing from the example above.
But, i do understand that PBF is used when you are deciding where to route based on the source and not on the destination as we typically do in routing.
However, in your example, it looks like you are deciding based on source for both. then how come the corporate one will be taken as routing and not PBF?
PS
06-22-2017 02:01 PM
In the first example, "forward guest wireless traffic" is a single PBF rule, where the 2nd rule (send everything else via MPLS) happens in the virtual router / default route. I'll tweak the example to be a little more clear:
PBF: "Forward all guest wireless traffic through the cheap local cablemodem/ISP"
Routing: "Send all traffic through the default route (MPLS circuit)"
My mistake for saying "all corporate traffic" - I meant "all traffic" that didn't match the PBF rule. Hope that clears it up.
06-22-2017 02:08 PM
@BPry wrote:PBF lets you specify an application, which wouldn't be possible if you are using just the routing table.
Using Application for match criteria in a Policy-Based Forwarding policy is not recommended. Palo Alto Networks recommends using a service object instead, if possible. Not to say that Application-based PBF doesn't work, but there are a handful of caveats to be aware of:
- https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/pbf#_13619
That being said, the example is helpful as it's a great difference between PBF and Routing.
06-22-2017 02:08 PM
You would use routing because it would state something along the lines of all traffic should go out the MPLS circut; then with PBF you specify with guest wireless traffic goes out the ISP gear.
Further example would be if I had a route that stated 10.191.0.0/16 needs to go to a specific circuit.
Say that I have my GIS users on 10.191.80.0/25 and for a undetermined amount of time I need to route them through a different circuit do to a potential litigation hold (sigh); I would find that easier to do with a PBF which is easy to create and remove on the fly rather than messing around with my routing table and breaking subnets out of my 10.191.0.0/16 range.
06-22-2017 02:09 PM
That's why I put it in; missing the first hand-full of packets until you actually get identified can be a pain, but thankfully we now have that awesome application cache so it's less of an issue 😉
06-23-2017 07:25 AM
Thank you for beautifully explaining it.
Appreciate it. Now i have good understanding of the basic differences.
Cheers,
PS
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
