Useless PBF warning

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Useless PBF warning

L4 Transporter

Hi All,


That's not an issue.. I just want to share with you this thoughtPBF_warning.JPGWarning_Rule.JPG


Starting from the fact that the egress interface is NOT a matching criteria.. But I have to configure around 80 VPN tunnel (with their own backup tunnel using pbf option "disable if unreachable") .. so it means I will have 80 warnings.. :,(


It should be useful to put egress interface in PBF policies as a matching criteria?

What is it your opinion?





L4 Transporter

Hi TheRealDiz,


It's not possible to put the egress interface as a condition, as the PBF is itself responsible for determining the egress interface (the result cannot be a condition).


In Palo Alto, either the PBF or the Routing table determines the egress interface.


In your screenshot I can guess rule 7 is shadowing 8, 3 is shadowing 4. Reason is that the conditions are identical for 3/4 and 7/8. Moreover, rule 8 and rule 4 might not actually trigger if you don't choose the monitor profile correctly or check the box for 'Disable this rule if the next hop/monitor IP is unavailable'.


Nothing can be done about the warnings. By the way, how many paths can a single tunnel take? If it's just 2, usually you'd put the main path in the PBF and a backup path in the VR. Do you have 3 paths, 2 via PBF and 1 via VR? If it's 2, configure the backup path in the VR (static route = next hop is backup tunnel interface (no IP req'd)). And, in your PBF choose a monitor profile with the Action - Fail over and uncheck the box for 'Disable this rule if the next hop/monitor IP is unavailable'.




ACE 7.0, 8.0, PCNSE 7

I've had the same issue, and I resolved it by adding a "dummy" zone to the shadowed PBF rule, as shown below:


  • 2 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!