Source address of PBF Monitor heartbeat ICMPs

Reply
Highlighted
L1 Bithead

Source address of PBF Monitor heartbeat ICMPs

I have a Policy Based Forwarding related question.

 

If we have a PBF rule, with Monitoring enabled, and the "disable this rule if next-hop/monitor ip is unreachable" also enabled.

 

So Palo Alto sends ICMPs to the monitored IP address out of the egress interface defined on the same page.

 

However, what is the source-ip of these ICMP requests?

 

Is it always the IP address of the egress interface?

 

Highlighted
L0 Member

Re: Source address of PBF Monitor heartbeat ICMPs

Yes, always forwarding egress interface sends keepalives to monitoring IP.

Highlighted
L1 Bithead

Re: Source address of PBF Monitor heartbeat ICMPs

Thank you for the response.

 

If the IP address of the egress interface is used as a source address, then I wonder if I might have uncovered a bug?

 

Firewall is PA-220 running 8.1.12

 

We have 2 circuits with user Internet traffic by default going up the backup circuit with an overriding PBF rule to force traffic over the primary circuit.

 

This PBF rule was monitoring against an OpenDNS server ip (208.67.222.222) with checkbox enabled to disable the rule if that ip was unreachable.

 

We had a call that users could not access Internet. Upon logging into firewall, we could see backup circuit was down.

 

However, the primary circuit appeared fine (we were connecting to the firewall remotely over IPsec tunnel over the primary circuit), so we assumed the PBF rule should still be activated.

 

However, that appears not to be the case, because as soon as we unchecked the "Monitor" checkbox in the PBF rule and committed the change, users were again able to access the Internet.

 

We then ssh'd into the firewall and tried pinging the OpenDNS server (208.67.222.222) from cli with source address the egress address of the PBF rule. We got ping responses.

 

So, I'm wondering if a) that OpenDNS server was not responding and just happened to recommence responding as I was commmitting the Monitor check removal or b) it could be a bug?

 

Has anyone had other odd experiences with monitoring PBF rules?

Highlighted
L5 Sessionator

Re: Source address of PBF Monitor heartbeat ICMPs

Just to add here, the pbf rule will take effect only for systems behind Palo Alto  and not for the traffic sourced from firewall interface. Now coming to your issue, the PBF was down when monitored was enabled.

 

Can you please try by changing monitoring IP  and check if it works ? I have configured PBF on my PA220 and it is working without any issues but it is running on 9.0. Check once with TAC also if it is bug.

 

- Mayur



Mayur Sutare
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!