Commit Fails when PBF Rule is Configured with Tunnel on Egress Interface
Resolution
Issue
Commit on the Palo Alto Networks device fails when PBF (Policy Based Forwarding) rule is configured with a tunnel as egress interface.
The following is an example of the error that appears during a commit attempt:
VSYS1
Error: pbf rule 'TestPBF': No ip/ipv6 address defined on pbf interface tunnel.
Error: Failed to parse pbf policy
(Module: device)
Commit failed
Cause
The commit failure occurs because the tunnel interface has not been configured with an IP address. On the Palo Alto Networks firewall, an IP address in not required on the tunnel interface for VPN tunnels. However, a PBF rule requires an IP address when the egress interface is a tunnel.
Resolution
Follow the steps below to configure the tunnel on egress interface:
- Navigate to Policies > Policy Based Forwarding
- Select the PBF rule
- Under the Forwarding tab, configure the tunnel as an egress interface
Follow the steps below to configure an IP address on the tunnel:
- Navigate to Network > Interfaces > Tunnel
- Select the tunnel interface
- Configure the IP address. The IP address can be a dummy value or a valid address.
owner: jlunario