Next-Generation Firewall
About Policy Based Forwarding
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
About Policy Based Forwarding
Learn more about Policy Based Forwarding (PBF) for your
managed firewalls.
Contact your account team to enable Cloud Management for NGFWs using Strata
Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
Policy Based Forwarding (PBF) allows you to configure traffic to take an alternative
path from the next hop specified in the route table. PFB is typically used to specify an
egress interface for security or performance reasons. For example, your company has two
links between the corporate office and the branch office: a cheaper internet link and a
more expensive leased line. The leased line is a high-bandwidth, low-latency link. For
enhanced security, you can use PBF to send applications that aren’t encrypted traffic,
such as FTP traffic, over the private leased line, and all other traffic over the
internet link. For performance, you can choose to route business-critical applications
over the leased line while sending all other traffic, such as web browsing, over the
cheaper link.
Egress Path and Symmetric Return
Using PBF, you can direct traffic to a specific interface on the firewall or drop the traffic.
In networks with asymmetric routes, such as in a dual ISP environment, connectivity issues occur
when traffic arrives at one interface on the firewall and leaves from another
interface. If the route is asymmetrical, where the forward (SYN packet) and return
(SYN-ACK) paths are different, the firewall is unable to track the state of the
entire session and causes a connection failure. To ensure that the traffic uses a
symmetrical path, which means that the traffic arrives at and leaves from the same
interface on which the session was created, enable the Symmetric Return option.
With symmetric return, the logical router overrides a routing lookup for return traffic and
instead directs the flow back to the MAC address from which it received the SYN
packet (or first packet). However, if the destination IP address is on the same
subnet as the ingress or egress interface’s IP address, a route lookup is performed
and symmetric return isn’t enforced. This behavior prevents traffic from being
silently discarded.
Path Monitoring for PBF
Path monitoring allows you to verify connectivity to
an IP address so that the firewall can direct traffic through an
alternate route, when needed. The firewall uses ICMP pings as heartbeats
to verify that the specified IP address is reachable.
A monitoring profile allows you to specify the threshold number of heartbeats to determine
whether the IP address is reachable. When the monitored IP address is unreachable,
you can either disable the PBF rule or specify a failover or wait-recover action.
Disabling the PBF rule allows the logical router to take over the routing decisions.
When the failover or wait-recover action is taken, the monitoring profile continues
to monitor whether the target IP address is reachable. When it comes back up, the
firewall reverts back to using the original route.
The following table lists the difference in behavior for a path
monitoring failure on a new session versus an established session.
Behavior of a session
on a monitoring failure | If the rule stays enabled
when the monitored IP address is unreachable | If rule is disabled
when the monitored IP address is unreachable |
|---|---|---|
For an established session | wait-recover—Continue
to use egress interface specified in the PBF rule | wait-recover—Continue
to use egress interface specified in the PBF rule |
fail-over—Use path determined
by routing table (no PBF) | fail-over—Use path
determined by routing table (no PBF) | |
For a new session | wait-recover—Use
path determined by routing table (no PBF) | wait-recover—Check
the remaining PBF rules. If no match, use the routing table |
fail-over—Use path determined
by routing table (no PBF) | fail-over—Check the
remaining PBF rules. If no match, use the routing table |
Service Versus Applications in PBF
PBF rules are applied either on the first packet (SYN) or the first response to the first packet
(SYN-ACK). This means that a PBF rule might be applied before the firewall has
enough information to determine the application. Therefore, application-specific
rules aren’t recommended for use with PBF. Whenever possible, use a service object,
which is the Layer 4 port (TCP or UDP) used by the protocol or application.
However, if you specify an application in a PBF rule, the firewall performs App-ID caching. When
an application passes through the firewall for the first time, the firewall doesn’t
have enough information to identify the application, and therefore can’t enforce the
PBF rule. As more packets arrive, the firewall determines the application and
creates an entry in the App-ID cache and retains this App-ID for the session. When a
new session is created with the same destination IP address, destination port, and
protocol ID, the firewall could identify the application as the same from the
initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a
session that isn’t an exact match and isn’t the same application, can be forwarded
based on the PBF rule.
Further, applications have dependencies and the identity of the application can change as the
firewall receives more packets. Because PBF makes a routing decision at the start of
a session, the firewall can’t enforce a change in application identity. For example,
YouTube starts as web-browsing but changes to Flash, RTSP, or YouTube based on the
different links and videos included on the page. However with PBF, because the
firewall identifies the application as web-browsing at the start of the session, the
change in application isn’t recognized thereafter.