Path monitoring allows you to verify connectivity to an IP address so that the firewall can direct traffic through an alternate route, when needed. The firewall uses ICMP pings as heartbeats to verify that the specified IP address is reachable.

A monitoring profile allows you to specify the threshold number of heartbeats to determine whether the IP address is reachable. When the monitored IP address is unreachable, you can either disable the PBF rule or specify a failover or wait-recover action. Disabling the PBF rule allows the logical router to take over the routing decisions. When the failover or wait-recover action is taken, the monitoring profile continues to monitor whether the target IP address is reachable. When it comes back up, the firewall reverts back to using the original route.

The following table lists the difference in behavior for a path monitoring failure on a new session versus an established session.

PBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN-ACK). This means that a PBF rule might be applied before the firewall has enough information to determine the application. Therefore, application-specific rules aren’t recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application.

However, if you specify an application in a PBF rule, the firewall performs App-ID caching. When an application passes through the firewall for the first time, the firewall doesn’t have enough information to identify the application, and therefore can’t enforce the PBF rule. As more packets arrive, the firewall determines the application and creates an entry in the App-ID cache and retains this App-ID for the session. When a new session is created with the same destination IP address, destination port, and protocol ID, the firewall could identify the application as the same from the initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a session that isn’t an exact match and isn’t the same application, can be forwarded based on the PBF rule.

Further, applications have dependencies and the identity of the application can change as the firewall receives more packets. Because PBF makes a routing decision at the start of a session, the firewall can’t enforce a change in application identity. For example, YouTube starts as web-browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included on the page. However with PBF, because the firewall identifies the application as web-browsing at the start of the session, the change in application isn’t recognized thereafter.