Policy Based Forwarding (PBF) on a Palo Alto Firewall

This is a small example of how to configure policy based forwarding (PBF) on a Palo Alto Networks firewall. The use case was to route all user generated http and https traffic through a cheap ADSL connection while all other business traffic is routed as normal through the better SDSL connection. Since I ran into two problems with this simple scenario, I am showing the solutions here.

[UPDATE] I also wrote an article about policy based forwarding with two different virtual routers on the Palo Alto firewall. See it here.[/UPDATE]

The covered PAN-OS version during this tests was 6.0.0.

The mere setup is really easy: The SDSL router is behind eth1/1 and a default route on the PA points to that router. The ADSL router resides behind eth1/2 and has NO static route entry in the router on the PA. No second virtual router or the like is needed. (This limits the usage of the second ISP connection. It can only be used for this policy based forwarding and not for incoming connections. E.g., no remote access VPN tunnels can terminate at this second connection since it has no default route to the router backwards. However, static Site-to-Site VPNs could be used if the remote endpoint has an entry in the routing table.)

The routing decision based on the destination ports 80 and 443 are made within the Policy Based Forwarding rules in the Policies tab. The following screenshots document my policy. Note that I have NOT selected the applications “web-browsing” and “ssl” but the mere ports, i.e., services. This is due to the fact that the PA cannot decide which application it sees based on the very first packet. Therefore, I simply forward all requests to the ports 80 and 443 to the ADSL connection:

The following screenshot shows that the same destination is called once with ping and once with http. According to the PBF, both connections take a different egress interface:

PBF same src-dst IP but different ports

Do not PBF my Private Networks

My policy was a bit too wide: I was not able to reach my own http servers on the LAN anymore. ;) Of course, the single PBF rule forwards all http requests to the ADSL router. The solution was to add a second PBF rule BEFORE the already existing one, which has the destination IP addresses set to all the internal IPv4 addresses (e.g., all RFC1918 addresses) and an action of “No PBF”.

IPv4 to the Left, IPv6 to the Right

Another problem in my scenario was IPv6 since I could not route my global unicast IPv6 space from the ISP with the SDSL connection through another ADSL connection. :( (Really bad, because IPv6 is the solution for so many other cases. Here it is a bit difficult. And yes, the hated NAT for IPv4 makes it easy to use PBF in this scenario.)

The solution was to configure another “no-pbf” rule that forwards all IPv6 packets to its normal default router which is of course capable of this global unicast IPv6 range.

Here is a screenshot of my final policy:

PBF final policies

After that, all connections worked as expected. To show both links at the same time, a homepage that reveals both Internet protocol addresses such as the german www.wieistmeineip.de site can be used. Here, the IPv4 address from the dynamic ADSL connection as well as the global unicast IPv6 address (with privacy extensions enabled) are shown:

wieistmeineip.de IPv4-to-the-left IPv6-to-the-right

The egress interface can be seen in the traffic log. IPv4 connections are correctly forwarded to the ADSL router on eth1/2 while IPv6 traffic still goes out on eth1/1:

Traffic Log IPv4-to-the-left IPv6-to-the-right

Reference

Featured image “Heavy traffic” by Clemens v. Vogelsang is licensed under CC BY 2.0.

9 thoughts on “Policy Based Forwarding (PBF) on a Palo Alto Firewall

  1. Thanks for this setup information. I am trying to do the same thing following your setup. I cannot seem to get it working. I have a few questions.
    1. Did you create a second Virtual Router for the ADSL connection or leave it at none?
    2. I am assuming you assigned an IP to the ADSL Ethernet and set is a Layer 3.
    3. Is the next hop the IP of the ADSL router?

    Thanks,

    David

  2. Thank you Johannes!!!! I was missing adding the VR to the interface even though there are no routes for it.

    Kind Regards,

    David

  3. same setup works for me. originally it didn’t work because I used Plusnet DNS server IPs.I’ve changed that to google’s DNS 8.8.8.8 and everything started to work :))) don’t know why.
    you need NAT
    you need a second default route(with metric more than your current “10”)
    You need to exclude your local network from PBF(as shown above)
    Use services and not applications(need to do the test again as at the time of the issue with my Plusnet DNS I had to play with so many things…. I am not sure what I’ve done now to fix it )
    do the checks via CLI “show session Id XYZ”

    Good luck ;)

  4. hello,
    I have a question, I receive a given traffic with original ip addresses from a zone A, this traffic is matched against a security policy with original ip addresses on it., than I apply a source and destination NAT to this traffic, a pbf is also there to forward this traffic to a given gateway.
    my question is what ip addresses I need to use in my PBF, original ip addresses(Pre-nat addresses) or the natted ip addresses(Post-NAT), if the answer is original addresses, then do I need to specify aroute for the post-nated destination ip address.
    thank you

  5. Would pbf working for fail over nat … Like static public nat to two private IP one primary and one backup?

Leave a Reply

Your email address will not be published. Required fields are marked *