Commit Fails when PBF Rule is Configured with Tunnel on Egress Interface

Commit Fails when PBF Rule is Configured with Tunnel on Egress Interface

35701
Created On 09/25/18 17:36 PM - Last Modified 06/12/23 16:50 PM


Resolution


Issue

Commit on the Palo Alto Networks device fails when PBF (Policy Based Forwarding) rule is configured with a tunnel as egress interface.

The following is an example of the error that appears during a commit attempt:

VSYS1

  Error: pbf rule 'TestPBF': No ip/ipv6 address defined on pbf interface tunnel.

  Error: Failed to parse pbf policy

(Module: device)

Commit failed

Screen Shot 2013-09-18 at 2.42.19 PM.png

Cause

The commit failure occurs because the tunnel interface has not been configured with an IP address. On the Palo Alto Networks firewall, an IP address in not required on the tunnel interface for VPN tunnels. However, a PBF rule requires an IP address when the egress interface is a tunnel.

Resolution

Follow the steps below to configure the tunnel on egress interface:

  1. Navigate to Policies > Policy Based Forwarding
  2. Select the PBF rule
  3. Under the Forwarding tab, configure the tunnel as an egress interface
    Screen Shot 2013-09-18 at 2.49.41 PM.png

Follow the steps below to configure an IP address on the tunnel:

  1. Navigate to Network > Interfaces > Tunnel
  2. Select the tunnel interface
  3. Configure the IP address. The IP address can be a dummy value or a valid address.
    Screen Shot 2013-09-18 at 2.50.25 PM.png

owner: jlunario
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGxCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language