Policy Based Forwarding on a Palo Alto with different Virtual Routers

This guide is a little bit different to my other Policy Based Forwarding blog post because it uses different virtual routers for both ISP connections. This is quite common to have a distinct default route for both providers. So, in order to route certain traffic, e.g., http/https, to another ISP connection, policy based forwarding is used.

There are two documents from Palo Alto that give advises how to configure PBF.

I am using a PA-200 with PAN-OS 7.0.1. My lab is the following:

Palo Alto PBF with different VRs

(Note that, unlike Juniper ScreenOS, a zone is not tied to a virtual router. You actually can merge interfaces on different vrouters into the same zone. However, I prefer to configure an extra zone for each ISP to keep my security policies clearly separated.)

These are the configuration steps. See the descriptions under the screenshots for details:


Featured image “Kondensstreifen” by Rüdiger Stehn is licensed under CC BY-SA 2.0.

12 thoughts on “Policy Based Forwarding on a Palo Alto with different Virtual Routers

  1. Very good explaination, thanks. You use static routes between the two virtual routers. I would like to use automatic route redistribution, but not to the internet. What do you think?
    Kind regards

        1. Hello Michael,
          what do you mean with “isn’t straight forward”? The implementation of OSPFv2? Or the routing between different VRs when using OSPF?
          (Ok, I still have not tried OSPFv2 with different VRs, but in general the OSPF implementation works quite good from my point of view.)

  2. Good morning, I need to implement in my PA 3020 three ISPs, two of which will be exited for the internet and one for my web services. How do I make this configuration so that I have a routing between the two Internet outlets with my ISP services?

    1. Hi Marcio. Sorry, but I cannot answer this within 1-2 sentences. ;) It requires a more profound design with a discussion about the pros and cons, etc. I am not offering this kind of consulting within the comments section in my blog. Sorry. ;)
      Please ask your local IT security provider or some security consultants for that.

      (Just a short hint: I would use own virtual routers for all three ISPs.)

  3. Johannes, why create a new separate VR when you could have simply created another default with a higher metric/admin distance.

    Are there any pros/cons to either approach ?

    1. Hey Phill,

      when you are only using *outgoing* connections, than you are right: You don’t need a second virtual router. Have a look at my other blogpost linked in the very first sentence.

      BUT: If you have *incoming* connections on both ISPs, for example for NATed servers behind the firewall or for site-to-site VPN sessions, it is much better to have to distinct virtual routers, one for each ISP, with their default routes pointing to the ISPs. Otherwise you’ll run into trouble to have the correct returning route to the correspondent ISP to NOT have asymmetric routes.

      Cheers, Johannes

Leave a Reply

Your email address will not be published. Required fields are marked *