This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About jixu
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About jixu
05-29-2023
1Post
0Likes
0Solutions
May 29, 2023Last Visited
User
Activity
User
Profile
Latest posts by jixu
| Subject | Views | Posted |
|---|---|---|
| 318 | 12-18-2022 07:27 PM |
My LIVEcommunity Articles Contributions
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 0 |
User Badges
Community Statistics
| Member Since | 11-18-2021 02:23 AM |
| Date Last Visited | 05-29-2023 05:08 AM |
| Posts | 1 |
12-18-2022
07:27 PM
随着大量社交媒体、 Web 应用访问和其他高带宽的应用程序的日益增长,对办公环境的带宽需求也持续增加,很多公司通过增加 ISP 备用链路来应对当前挑战。利用增加的 ISP 备用链路去卸载SLA较低的、非关键的 Web 流量,从而保障关键应用程序的带宽需求。
为了实现上述需求,下面给大家介绍防火墙的一个非常酷的技巧:基于策略的转发(Policy Based Forwarding)。
基于策略的转发允许您绕过路由表,转而使用基于应用程序、源或目标配置的策略指定的路由选项。简而言之,这意味着您可以选择让某些应用程序使用不同的ISP链路,而无需对路由表做出调整。
下面我们详细看一下示例防火墙是如何配置的:
ISP1 是用于关键应用程序的主要链路;
ISP2 是具有高带宽但没有SLA保证的备用链路;
虚拟路由器的默认网关配置为指向 ISP1;另外也 配置了具有更高Metric值的 ISP2 链路作为备份,预防 ISP1链路出现中断。
首先打开策略 Policies —> Policy Based Forwarding ,创建一个新的策略:
配置源区域或接口;
将目标应用程序设置为网站浏览(web-browsing); 或选择另一个您希望通过 ISP2链路重新路由的应用程序(ftp, tftp...);
最佳实践是将服务(service)设置为应用程序默认(application-default);
在转发选项卡中:
将 Action 设置为转发模式;
将 Egress Interface 设置为对应 ISP2 链路的接口;
将 Next Hop 设置为 ISP2 链路的路由器 IP 地址,以便将数据包正确路由到此设备;
勾选Monitor复选框;
创建配置文件以实现Fail Over;
勾选“如果下一跳/监控IP地址不可达时禁用此规则”复选框:当 ISP2 链路中断时禁用此策略,以通过默认网关重新路由会话;
设置ISP2的路由器IP为监控目标
至此,您已成功配置基于策略的转发路由!剩下要做的就是创建安全策略,以允许会话从信任区域到 ISP2 区域建立,如果有必要,还需配置 NAT 规则:
Commit提交上述配置后,您可以使用几个有用的 CLI 命令来验证 PBF 规则是否正常运行以及是否正在使用中:
> show pbf rule all Rule ID Rule State Action Egress IF/VSYS NextHop NextHop Status ========== ===== ========== ======== =============== ======================================= ============== ISP2_webac 1 Active Forward ethernet1/2 172.16.31.1 UP
> show running pbf-policy ISP2_webaccess { id 1; from trust; source any; destination any; user any; application/service [ ftp/tcp/any/21 web-browsing/tcp/any/80 ]; action Forward; symmetric-return no; forwarding-egress-IF/VSYS ethernet1/2; next-hop 172.16.31.1; terminal no; }
> test pbf-policy-match from trust application web-browsing source 192.168.0.7 destination 93.184.216.34 protocol 6 destination-port 80 ISP2_webaccess { id 1; from trust; source any; destination any; user any; application/service [ ftp/tcp/any/21 web-browsing/tcp/any/80 ]; action Forward; symmetric-return no; forwarding-egress-IF/VSYS ethernet1/2; next-hop 172.16.31.1; terminal no; }
> show session all filter pbf-rule ISP2_webaccess -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 9873 web-browsing ACTIVE FLOW NS 192.168.0.7[4015]/trust/6 (172.16.31.2[7914]) vsys1 93.184.216.34[80]/ISP2 (93.184.216.34[80]) > show session id 9873 Session 9873 c2s flow: source: 192.168.0.7 [trust] dst: 93.184.216.34 proto: 6 sport: 4015 dport: 80 state: INIT type: FLOW src user: unknown dst user: unknown pbf rule: ISP2_webaccess 1 s2c flow: source: 93.184.216.34 [ISP2] dst: 172.16.31.2 proto: 6 sport: 80 dport: 7914 state: INIT type: FLOW src user: unknown dst user: unknown
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-29-2023
05:08 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks