Subinterfaces and Policy based routing

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Subinterfaces and Policy based routing

Hi, so I've configured a new L3 subinterface on an existing L3 interface, both with IP addresses and I thought it was going to work. I've got a PBR rule in place on the previous hop, a HP switch, which diverts some traffic to this new subinterface. I can see the selected traffic allowed out from the Palo's traffic monitor logs but, from the client end, routing through the new subinterface I'm not getting responses back. A traceroute from the client to outside (or even the subinterface's primary interface) result in a response from the subinterface but no further.

 

 

 

Library network PBR plan.jpg

2018-02-27_161058.jpg

 

Out of desperation I added a static route on the Palo to ensure the return packets know how to get back but it's still not working. I've added a snippet of the network for a visual representation. Any ideas what I might have missed?


Accepted Solutions
Highlighted
L7 Applicator

Since you enabled PBR on the switch behind the firewall, you may need to add routing or PBF with symmetric return on the firewall (192.168.0.0/24 via 192.168.254.<switch interface>)

The firewall may now want to try and route return packets out of 172.16.1.141 which will cause all kinds of problems

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L7 Applicator

Since you enabled PBR on the switch behind the firewall, you may need to add routing or PBF with symmetric return on the firewall (192.168.0.0/24 via 192.168.254.<switch interface>)

The firewall may now want to try and route return packets out of 172.16.1.141 which will cause all kinds of problems

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Highlighted
L2 Linker

Just a couple of questions for clarity for me and hopefully others:

 

1) Is the outgoing traffic having NAT applied to it? It wasn't clear from the logs or config you provided whether the new subnet is being hidden correctly behind your external address.

2) Have you performed a packet capture to confirm that the traffic is being received back to the firewall and then what interfaces its leaving on the firewall (looking at the source mac of the return packet on the transmit pcap)?

3) Have you checked the counters on the firewall (apply packet capture filters then run 'show counter global filter severity drop packet-filter yes delta yes' whilst generating traffic to make sure none of it is being dropped silently.

4) If the above fails, have you looked at performing a flow debug basic to confirm if the return traffic is leaving the correct interface and doesn't show an drops?

 

Just a couple of ideas for next steps for you. Please leave an update with what you find

 

 

Tags (1)
Highlighted
L1 Bithead

Hi JamesWW, 

 

Thanks for taking the time to respond. Sorry it's taken a while to get back to you, I'm only part time here. 

 

As per the post by reaper, I ended up adding a PBF rule to the Palo to route traffic destined for the public subnet through to the public interface and that's worked. Thanks again for the time you took to help.

 

Cheers,

 

Michelle

Highlighted
L1 Bithead

Hi reaper, I had suspected that this might be the case but wasn't really sure if it would be necessary. Anyways, I tried it and it works you little ripper!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!