PBF Rule is not Working When PBF Monitoring is Enabled for the IP Across the Tunnel

PBF Rule is not Working When PBF Monitoring is Enabled for the IP Across the Tunnel

Created On 09/26/18 13:49 PM - Last Modified 11/09/20 22:09 PM



In ideal setup we create IPSEC tunnel and use PBF rule to forward the traffic to tunnel if IPSEC vpn failover is required.

Note: To configure Dual ISP and automatic VPN failover follow the below document:

How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover


We also configure the monitoring IP (IP which is across the tunnel) to perform the tunnel monitoring.



If we have overlapping subnet, we will configure source NAT in order to avoid routing issue on the other end of tunnel.

With this setup PBF rule might not work and you could see the PBF rule gets disabled



When enabling PBF monitoring, firewall will send keep alive messages with egress interface as source and send the packets out.

If we manually ping the monitoring IP sourcing from egress interface IP, this traffic will go through route lookup and NAT lookup. Subsequently this traffic will get source NAT-ed and we will get ping replies.

However the keep alive messages will not go through route lookup and for the same reason it will not be NAT-ed. This might cause routing issue on the other end and we might not get keep alive replies which in turn cause our PBF rule to disable.


Rule: PBF VPN1(6)

Rule State: Disabled

Action: Forward

Symmetric Return: No

Egress IF/VSYS: tunnel.1


Monitor Slot: 1

Monitor IP:

NextHop Status: DOWN

Monitor: Action:Fail-Over, Interval:3, Threshold:5

Stats: KA sent:2971, KA got:0, Packet Matched:28675



Configure a public IP on the tunnel interface and on the other end of tunnel create a static route for this public IP pointing to the tunnel.


owner: skumar1

  • Print
  • Copy Link


Choose Language