- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-06-2020 04:17 AM
I have a Policy Based Forwarding related question.
If we have a PBF rule, with Monitoring enabled, and the "disable this rule if next-hop/monitor ip is unreachable" also enabled.
So Palo Alto sends ICMPs to the monitored IP address out of the egress interface defined on the same page.
However, what is the source-ip of these ICMP requests?
Is it always the IP address of the egress interface?
02-06-2020 04:33 AM
Yes, always forwarding egress interface sends keepalives to monitoring IP.
02-06-2020 09:29 AM
Thank you for the response.
If the IP address of the egress interface is used as a source address, then I wonder if I might have uncovered a bug?
Firewall is PA-220 running 8.1.12
We have 2 circuits with user Internet traffic by default going up the backup circuit with an overriding PBF rule to force traffic over the primary circuit.
This PBF rule was monitoring against an OpenDNS server ip (208.67.222.222) with checkbox enabled to disable the rule if that ip was unreachable.
We had a call that users could not access Internet. Upon logging into firewall, we could see backup circuit was down.
However, the primary circuit appeared fine (we were connecting to the firewall remotely over IPsec tunnel over the primary circuit), so we assumed the PBF rule should still be activated.
However, that appears not to be the case, because as soon as we unchecked the "Monitor" checkbox in the PBF rule and committed the change, users were again able to access the Internet.
We then ssh'd into the firewall and tried pinging the OpenDNS server (208.67.222.222) from cli with source address the egress address of the PBF rule. We got ping responses.
So, I'm wondering if a) that OpenDNS server was not responding and just happened to recommence responding as I was commmitting the Monitor check removal or b) it could be a bug?
Has anyone had other odd experiences with monitoring PBF rules?
02-06-2020 10:42 PM - edited 02-06-2020 10:45 PM
Just to add here, the pbf rule will take effect only for systems behind Palo Alto and not for the traffic sourced from firewall interface. Now coming to your issue, the PBF was down when monitored was enabled.
Can you please try by changing monitoring IP and check if it works ? I have configured PBF on my PA220 and it is working without any issues but it is running on 9.0. Check once with TAC also if it is bug.
- Mayur
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!