How to Configure PBF in Multi Vsys Configuration

Overview

This document describes how to configure PBF in a multi vsys setup on the Palo Alto Networks device.

Steps

Example network scenario (Palo Alto Networks device represented by "PA"):

Client ---- PA (vsys_lan) ---- PA (vsys_internet) ---- Internet

1. Create 2 virtual systems and make sure they are visible to each other
   
2. Each vsys has it's own VR
   
3. Create at least 1 Layer3 zone and 1 external zone for each vsys
   
4. Step4: We need to create 2 PBF rules. (1 for each vsys)
   • vsys-lan:
     
   • vsys-internet:
     
     The first PBF rule will route the traffic from the LAN vsys to the Internet vsys, the second PBF rule will forward the traffic to it's default gateway. If you don't configure the second PBF rule, your traffic will get dropped on the Palo Alto Networks device.
5. Make sure you create security policies on both vsys's that allow the traffic.

owner: rvanderveken