This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Useless PBF warning

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Useless PBF warning

TheRealDiz
L4 Transporter

‎03-23-2017 03:20 AM

Hi All,

 

That's not an issue.. I just want to share with you this thoughtPBF_warning.JPGWarning_Rule.JPG

 

Starting from the fact that the egress interface is NOT a matching criteria.. But I have to configure around 80 VPN tunnel (with their own backup tunnel using pbf option "disable if unreachable") .. so it means I will have 80 warnings.. :,(

 

It should be useful to put egress interface in PBF policies as a matching criteria?

What is it your opinion?

 

Regards

D!Z

0 Likes Likes
2 REPLIES 2

ansharma
L4 Transporter

‎03-23-2017 10:51 PM

Hi TheRealDiz,

 

It's not possible to put the egress interface as a condition, as the PBF is itself responsible for determining the egress interface (the result cannot be a condition).

 

In Palo Alto, either the PBF or the Routing table determines the egress interface.

 

In your screenshot I can guess rule 7 is shadowing 8, 3 is shadowing 4. Reason is that the conditions are identical for 3/4 and 7/8. Moreover, rule 8 and rule 4 might not actually trigger if you don't choose the monitor profile correctly or check the box for 'Disable this rule if the next hop/monitor IP is unavailable'.

 

Nothing can be done about the warnings. By the way, how many paths can a single tunnel take? If it's just 2, usually you'd put the main path in the PBF and a backup path in the VR. Do you have 3 paths, 2 via PBF and 1 via VR? If it's 2, configure the backup path in the VR (static route = next hop is backup tunnel interface (no IP req'd)). And, in your PBF choose a monitor profile with the Action - Fail over and uncheck the box for 'Disable this rule if the next hop/monitor IP is unavailable'.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7

Elmer_Potts
L0 Member
In response to ansharma

‎11-14-2019 01:24 PM

I've had the same issue, and I resolved it by adding a "dummy" zone to the shadowed PBF rule, as shown below:

clipboard_image_0.png

0 Likes Likes
  • 2629 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks