- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-27-2022 02:27 PM
Hi @smshafek ,
I am also wondering why people still suggesting the use of PBF for tunnel (IPsec to GRE) failover,... I am only guessing that this was the way long, long ago with earlier version of PanOS.
GRE keepalives wouldn't affect PBF routing, because PBF rules are enforced the same way as security - first match top to bottom. No matter if the tunnel is down and the next-hop is not available. Enabling path monitor in PBF rule, will disable that rule if the ping probes don't receive replies. But this is true, only if you use "fail-over" for monitoring profile, "wait-recover" will have different effect - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/pbf/path-mo...
So PBF rules with path-monitor and "fail-over" monitor profile, should work as well.
Anyway, I always recommend to stay away from PBF whenever possible, so should stick with the static routes with different metric and GRE keepalives.