PBF Rule is not Working When PBF Monitoring is Enabled for the IP Across the Tunnel
44989
Created On 09/26/18 13:49 PM - Last Modified 08/08/24 01:42 AM
Symptom
- Public Monitoring IP is configured for Policy-Based Forwarding (PBF)
- PBF Rule fails and gets disabled due to monitoring failure.
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- Policy-Based Forwarding (PBF)
- Monitoring enabled with Public IP
Cause
- With PBF monitoring, the keepalives are sent using egress interface as source.
- If the routing (and/or NAT) is incorrect, the keepalives may not reach the destination or the replies packets may not reach the Firewall.
- This will cause the PBF rule to be disabled as per the configuration.
- Use "show pbf rule name <name>" to get the status. In this example the keepalives are not received.
Rule: PBF VPN1(6)
Rule State: Disabled
Action: Forward
Symmetric Return: No
Egress IF/VSYS: tunnel.1
NextHop: 0.0.0.0
Monitor Slot: 1
Monitor IP: 170.66.50.11
NextHop Status: DOWN
Monitor: Action:Fail-Over, Interval:3, Threshold:5
Stats: KA sent:2971, KA got:0, Packet Matched:28675
Resolution
Additional Information
How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover