We recently added a new Internet link to our PA-3020. We want only one server (10.1.12.130) to use it, so we configured the new internet link interface as layer-3 , assigned it a static IP, created a PBF policy that basically specifies the zone (internal) and the source IP (10.1.12.130) and the destination is any (negate 10.0.0.0/8) and the action is to forward traffic to egress IF 1/10 with next hop of 126.96.36.199
We also created a NAT rule : From internal zone to external zone, source IF 1/10 and source translation is dynamic-ip-and-port.
Finally, we created a security policy to allow traffic from that source to the internet.
We have one virtual route for the old ISP. It's my understanding that no VR is required when using PBF as no failover or redundancy is required between the two links.
The source server doesn't have internet connectivity. FW's Software Version is 9.1.14-h4. We don't use Panorama to manage it.
I found a similar KB for reference : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRzCAK#:~:text=Policy%20based%20forwarding%20allows%20you,to%20tweak%20the%20routing%20table
I spent countless hours with PA engineers and they confirmed that the setup looks good, but for some reason they couldn't figure out why this setup is not working.
any thoughts? Thanks in advance.
... View more