Policy Based Forwarding on a Palo Alto with different Virtual Routers

This guide is a little bit different to my other Policy Based Forwarding blog post because it uses different virtual routers for both ISP connections. This is quite common to have a distinct default route for both providers. So, in order to route certain traffic, e.g., http/https, to another ISP connection, policy based forwarding is used.

There are two documents from Palo Alto that give advises how to configure PBF.

I am using a PA-200 with PAN-OS 7.0.1. My lab is the following:

Palo Alto PBF with different VRs

(Note that, unlike Juniper ScreenOS, a zone is not tied to a virtual router. You actually can merge interfaces on different vrouters into the same zone. However, I prefer to configure an extra zone for each ISP to keep my security policies clearly separated.)

These are the configuration steps. See the descriptions under the screenshots for details:


Featured image “Kondensstreifen” by Rüdiger Stehn is licensed under CC BY-SA 2.0.

8 thoughts on “Policy Based Forwarding on a Palo Alto with different Virtual Routers

  1. Very good explaination, thanks. You use static routes between the two virtual routers. I would like to use automatic route redistribution, but not to the internet. What do you think?
    Kind regards

        1. Hello Michael,
          what do you mean with “isn’t straight forward”? The implementation of OSPFv2? Or the routing between different VRs when using OSPF?
          (Ok, I still have not tried OSPFv2 with different VRs, but in general the OSPF implementation works quite good from my point of view.)

  2. Good morning, I need to implement in my PA 3020 three ISPs, two of which will be exited for the internet and one for my web services. How do I make this configuration so that I have a routing between the two Internet outlets with my ISP services?

    1. Hi Marcio. Sorry, but I cannot answer this within 1-2 sentences. ;) It requires a more profound design with a discussion about the pros and cons, etc. I am not offering this kind of consulting within the comments section in my blog. Sorry. ;)
      Please ask your local IT security provider or some security consultants for that.

      (Just a short hint: I would use own virtual routers for all three ISPs.)

Leave a Reply

Your email address will not be published. Required fields are marked *