Paloalto Policy based forwarding (PBF)

From Notes_Wiki

Home > Enterprise security devices or applications > Paloalto firewall > Paloalto Policy based forwarding (PBF)

On PBF note that:

  • We dont need PBF for incoming NAT reply packets. Using ECMP with symmetric return on router is enough.
  • Dont do PBF with a specific ISP when the same source machine LAN machine is NAT with public IP of other ISP. In that case reply packets try to use a different ISP (As per PBF) and configuration does not works.
  • If we do PBF and there are VPN users trying to access a particular server / LAN machine, then we dont want the VPN reply from server to use PBF. In this case add VPN subnet in negative destination IP range in PBF rule.
    • For example if packets original from LAN IP 10.1.1.1 and go to any IP other than VPN IPs of 10.100.1.0/24 then send the outgoing packets via ethernet1/1.
  • Try to enable monitor in PBF so that if some specific IP (eg Internet IPs such as 8.8.8.8) are not reachable via a gateway then we can disable that PBF fule. While enabling monitor on a PBF there is setting called Profile. We can use default profile. This profile typically configured:
    • How many ping packets to send per interval and what interval should be used.
    • Whether to try connecting to this destination via TCP
    • How many packets drop to be considered for connection to be down, etc. settings for monitoring.



Home > Enterprise security devices or applications > Paloalto firewall > Paloalto Policy based forwarding (PBF)