Policy Based Forwarding (PBF)- Palo Alto Networks Firewall

pbf-palo-alto-networks-firewall

In this article, we will configure Policy Based Forwarding (PBF) on Palo Alto Networks Firewall. PBF allows us to bypass the routing table and routes the traffic/packets based on the applied policy.

PBF policy allows us to define the source, destination, application, and service filters. If the request matches the policy, the firewall will override the routing table and forwards the traffic via a different link without tweaking the routing table.

Let’s start configuring the Policy Based Forwarding.

How to configure Policy Based Forwarding (PBF) on Palo Alto Networks Firewall

Before moving to the configuration part, let’s first understand the scenario. I’ve two ISPs directly connected with my Palo Alto Networks Firewall. ISP1 is a Primary link that provides great bandwidth, however, ISP2 is a backup link with less bandwidth.

I’ve configured the first default route towards ISP1 with metric 10. Another default route is configured toward ISP2 with metric 20. We will use ISP2 to route our non-critical business applications such as HTTP, HTTPS, etc using Policy Based Forwarding.

pbf-palo-alto-networks-firewall

The static routes configured on the Firewall:

palo-alto-firewall-routing-table

Step1: Configure the Monitor Profile on Palo Alto Networks (optional but recommended)

First, we will configure the Monitor Profile under Network Profile. It will help us to decide once the next hop is unreachable from the firewall.

Navigate to Network > Network Profile > Monitor Profile and click on Add. Now, define the name of the Monitoring profile, i.e, failover. Set Action Wait Recover or Failover. Keep the Interval & Threshold same.

paloalto-network-profile

Step2: Configure the PBF Policy in Palo Alto Networks

Login to Palo Alto Networks Firewall and navigate to Policy > Policy Based Forwarding and click on Add. In the General tab, define the PBF name, i.e.,  Forward-ISP2.

paloalto-pbf-general

Now, click on the Source tab, and define the Source Zone to Trust, optionally you can define the source address & source users. For this example, I’m using ANY.

paloalto-pbf-source

Click on the Destination/Application/Service tab, and define the required Destination addresses, Applications, and services. Just to keep this article simple, I’m only using HTTPS/HTTP.

pa-pbf-source-destination-and-service

Click on the Forwarding tab and define the Action, Egress Interface & Next Hop IP Address. I’m configuring the Action to Forward, Egress Interface to ethernet1/2, and Next Hop to IP Address – 202.1.1.2.

Finally, check the Monitor checkbox, and select the Monitor Profile, click Disable this rule if nexthop/monitor IP is unreachable. In the IP Address field, I’ve selected the Next-Hop ISP IP.

paloalto-pbf-forwarding

Now, click on OK to complete the changes.

Step3: Configure the Security & NAT Policy to allow the traffic in Palo Alto Networks

PBF helps us to bypass the defined routing information. However, we still need to create a security policy to allow traffic from the source to the destination zones. Navigate to Policy > Security and click on Add to create a new security policy.

palo-alto-firewall-security-policy

Now, create a Souce NAT Policy to translate the Private IP Address to Public IP Address. Navigate to Policy > NAT and click on Add to create a new security policy.

palo-alto-firewall-nat-policy

Step4: Commit the changes on Palo Alto Networks Firewall

Finally, we have configured the Policy Based Forwarding (PBF) on Palo Alto Networks Firewall. We need to perform the commit to save the candidate configuration to the running configuration.

Navigate to the Top Right Corner and click on Commit.

Step5: Verifying the Policy Based Forwarding (PBF)

In this section, we will verify our configuration by viewing the traffic logs. Navigate to Monitor > Traffic. You will find that all Web-browsing traffic (HTTP&HTTPS) is using the ISP2 to exit.

paloalto-firewall-traffic-logs

Thats it! We have successfully configured PBF on Palo Alto Networks Firewall.

Useful commands for managing Policy Based Forwarding on Palo Alto Networks

In this section, we will discuss a few Palo Alto Networks commands to manage the PBF. To check the Policy based forwarding policies, we can simply run the below command:

You can filter the ongoing sessions using the below command:

To view the entire PBF session information, run the below command:

Since we have configured the network monitor profile, the Policy Based Forwarding will go down once the Next-Hop IP Address, i.e, 202.1.1.2 is unreachable.

You will get the log messages under Monitor > Logs > System.

Related Articles

Reference

Summary

In this article, we have configured Policy Based Forwarding (PBF) on Palo Alto Networks Firewall. We have tested the failover scenario as well. Firstly, we configured a monitor profile and then use this monitor profile in the PBF rule. Further, we created the security and nat rule to allow and forward the network traffic using our Public IP. At last, we have discussed a few Policy Based Forwarding commands to manage PBF.

I hope you like this article. Please share it on social  media platforms and show us some love 🙂

You May Also Like

About the Author: Vikash Kaushik

Leave a Reply

Your email address will not be published. Required fields are marked *

Share via
Copy link