Policy based Forwarding with Palo Alto Firewalls


In this blog post, I would like to share how easy it is to move the failover routing decision making  process from your internet edge routers to your awesome  Palo Alto Firewall(s).

Of course they are situations where it can be  useful, especially when a company decides  to use dual basic  broadband connections for a super small micro remote office where the service provider only hands you static point to point public IPs.

Lets get down  straight to the configuration  (Woof) :

Policies > Policy Based Forwarding > Add 


As per any firewall policy, all policies are read top down the 1st policy should be for your most preferred link and your backup link policy must be configured just after it.

Name: Give your policy a name
Tags :  Optional attribute to quickly find stuff when troubleshooting
Zone/Interface : Incoming source packet zone(s)
Address : Is this for a specific IP / if using PAT then (any) should suffice
Destination: Any Application: Any Service: Any
Action : What should the policy do upon identifying such a packet (Allow/Deny)
Egress interface : Interface connected to your Internet Provider managed router
Enforce Symmetric Return: In this case, we turn ours to false , what we want to do in our case will not have both circuits active at one time . I will dive more into this option in a follow up blog..stay tuned

 Next up we would like to create a Monitoring profile for our policy, basically what this does is to actively monitor this interface and take appropriate action if the monitoring fails :

Profile : Give your profile a name

Target : State what IP Address you would like to monitor, best practice will be to monitor a next hop IP ( Hosted on the Service Provider end of cause) . If not possible you can monitor that interface ability to ping something like your Data-center Edge Router.


Disable if Unreachable : This is the magic part, yes of cause should the profile fail to ping its target IP then we want to take action and disable the entire policy. This will allow the Firewall to use the next policy to route packets out of the network.

Creating a Policy 

The above steps only create the policy for your Primary link,  repeat the same policy configuration steps for your secondary link of cause changing the IP address as per your provider details.

After this we dive into the NATing and Virtual router  configurations  that you would need to complete for the fail-over to work.

Configure the Destination NAT  to both of your Internet Service Provider Links since the IP will change if there is a fail-over .

NAT Configuration


Configure a secondary default route for your backup link with a higher metric since this route will only be used when the primary default route fails . This secondary default route is important because even if the secondary policy kicks in, there needs to be a route in the Virtual Router to direct packets to the secondary provider.

Default Route Configuration



Thats it... simple hey!,

PS.  There is a great CLI command (show pbf rule all) helps you track which policy is in use , this is great tool to use when doing your fail-over and fallback before going putting this into production :)

Comments

Post a Comment

Popular posts from this blog

Every Network Engineer needs a syslog server

Image
Here's a quick and fairly reliable syslog collector that we have used. OS: Ubuntu 16.04.2 CPU: Dual Core RAM: 4GB or 8GB Software Package: syslog-ng Goal: Collect log from multiple sources and place them into logical files and folder. With that said, let get started... First, disable rsyslog so that it can not interfere with syslog-ng service and reboot the server. Issue the following command to disable the service from start up.  #sudo systemctl disable rsyslog Upon reboot, install syslog-ng and enable the service. #sudo apt-get install syslog-ng #sudo systemctl enable syslog-ng Create a new configuration file for syslog-ng service.  #sudo nano /etc/syslog-ng/conf.d/syslog.conf ------------------------------------------------------------- options { chain_hostnames(no); create_dirs(yes); dir_perm(0755); dns_cache(yes); keep_hostname(yes); log_fifo_size(2048); log_msg_size(8192); perm(0644); time_reopen(10); use_dns(yes); use_f...
Read more