How to forward traffic to IP addresses that a FQDN resolves to using Policy Based Forwarding

How to forward traffic to IP addresses that a FQDN resolves to using Policy Based Forwarding

31892
Created On 11/21/19 05:56 AM - Last Modified 04/27/23 19:33 PM


Objective


  • This article explains how to forward traffic to a specific FQDN using policy based forwarding(PBF).

Environment


PAN-OS Firewall
 

Procedure


  • First we need to create a FQDN address object
  • Select Objects --> Address 
       User-added image
  • Click on "Add" to create an address.
  • Click on “Type” drop down and select option FQDN
  • Enter the FQDN which you wish to use in PBF and click OK
       User-added image

       Note: Firewall only allows FQDN and we can not configure a wildcard entry.
  • Now we need to create a PBF rule with the destination as the above mentioned FQDN address.
  • Select Policies --> Policy Based Forwarding
  • Enter the relevant information in “General” and “Source” tab.
  • Add the configured FQDN object as Destination Address under “Destination” tab.
  • Provide the relevant forwarding details and click on OK.
       User-added image

       Note: It is important that the firewall and client machine resolves the FQDN to same IP address so that traffic will match the PBF on the firewall. If the PAN-OS version is 9.0 or above run the command
       “show dns-proxy fqdn all” to see the resolved IP address. If the PAN-OS version is below 8.1 or below run the command “request system fqdn show”


 

Additional Information


This setup will work more efficiently in 9.0 or above due to FQDN Refresh Enhancement. Please refer the 9.0 release notes for more information about the same.
PAN-OS Release Notes - Networking Features
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNaoCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language