Thank you for the response. If the IP address of the egress interface is used as a source address, then I wonder if I might have uncovered a bug? Firewall is PA-220 running 8.1.12 We have 2 circuits with user Internet traffic by default going up the backup circuit with an overriding PBF rule to force traffic over the primary circuit. This PBF rule was monitoring against an OpenDNS server ip (208.67.222.222) with checkbox enabled to disable the rule if that ip was unreachable. We had a call that users could not access Internet. Upon logging into firewall, we could see backup circuit was down. However, the primary circuit appeared fine (we were connecting to the firewall remotely over IPsec tunnel over the primary circuit), so we assumed the PBF rule should still be activated. However, that appears not to be the case, because as soon as we unchecked the "Monitor" checkbox in the PBF rule and committed the change, users were again able to access the Internet. We then ssh'd into the firewall and tried pinging the OpenDNS server (208.67.222.222) from cli with source address the egress address of the PBF rule. We got ping responses. So, I'm wondering if a) that OpenDNS server was not responding and just happened to recommence responding as I was commmitting the Monitor check removal or b) it could be a bug? Has anyone had other odd experiences with monitoring PBF rules?
... View more