Selecting an IP Address for PBF or Tunnel Monitoring

Selecting an IP Address for PBF or Tunnel Monitoring

Created On 09/25/18 18:50 PM - Last Modified 06/09/23 08:48 AM



PBF (Policy Based Forwarding) Monitoring or Tunnel Monitoring sustains uninterrupted connectivity through the configured PBF path or tunnel. For this to be accomplished, ping packets are sent to a configured remote IP to determine if the path is still usable for the desired communication.



For the monitoring to work properly, select a remote IP address reachable through the PBF path or configured tunnel.

This IP address can be any monitored IP address in the configured remote network or the IP address:

  • On the remote end of the tunnel.
  • Of the next hop.


Note: The ping packets are sourced from the local tunnel interface (for tunnel monitoring), or the interface configured as the egress interface (for PBF monitoring). Generally, tunnel monitoring is used from a Palo Alto Networks firewall to another Palo Alto Networks firewall. If using Palo Alto Networks tunnel monitoring to a non Palo Alto Networks firewall, additional requirements must be met for tunnel monitoring to work with the tunnel monitoring configuration on the Palo Alto Networks firewall. Be sure the following are in place:

  • A policy permitting pings from the Palo Alto Networks firewall tunnel's IP address to the other device.
  • Configured proxy IDs for the monitored traffic on both devices:
    • On the Palo Alto Networks firewall, the local ID is the tunnel's IP, and the remote IP is either the other device's tunnel IP address or the IP address of a node behind the other device (whichever is being monitored).
    • The Proxy IDs on the other device must be a mirror image of what has been specified under the Palo Alto Networks firewall.


If you're using any monitored IP address on the remote network, the local tunnel/egress address does not need to be in the same subnet as the monitored address. Monitoring will still work as long as the monitored device is configured to respond to pings and is reachable through the tunnel or PBF.


Also look at this article in which PBF monitoring through tunnel does not work due to overlapping subnets: PBF Rule is not Working When PBF Monitoring is Enabled for the IPAcross the Tunnel


owner: tasonibare

  • Print
  • Copy Link

Choose Language