Paloalto Policy based forwarding (PBF)
From Notes_Wiki
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto Policy based forwarding (PBF)
On PBF note that:
- We dont need PBF for incoming NAT reply packets. Using ECMP with symmetric return on router is enough.
- Dont do PBF with a specific ISP when the same source machine LAN machine is NAT with public IP of other ISP. In that case reply packets try to use a different ISP (As per PBF) and configuration does not works.
- If we do PBF and there are VPN users trying to access a particular server / LAN machine, then we dont want the VPN reply from server to use PBF. In this case add VPN subnet in negative destination IP range in PBF rule.
- For example if packets original from LAN IP 10.1.1.1 and go to any IP other than VPN IPs of 10.100.1.0/24 then send the outgoing packets via ethernet1/1.
- Try to enable monitor in PBF so that if some specific IP (eg Internet IPs such as 8.8.8.8) are not reachable via a gateway then we can disable that PBF fule. While enabling monitor on a PBF there is setting called Profile. We can use default profile. This profile typically configured:
- How many ping packets to send per interval and what interval should be used.
- Whether to try connecting to this destination via TCP
- How many packets drop to be considered for connection to be down, etc. settings for monitoring.
Home > Enterprise security devices or applications > Paloalto firewall > Paloalto Policy based forwarding (PBF)