Use Case: PBF for Outbound Access with Dual ISPs

In this use case, the branch office has a dual ISP configuration and implements PBF for redundant internet access. The backup ISP is the default route for traffic from the client to the web servers. In order to enable redundant internet access without using an internetwork protocol such as BGP, we use PBF with destination interface-based source NAT and static routes, and configure the firewall as follows:
  • Enable a PBF rule that routes traffic through the primary ISP, and attach a monitoring profile to the rule. The monitoring profile triggers the firewall to use the default route through the backup ISP when the primary ISP is unavailable.
  • Define Source NAT rules for both the primary and backup ISP that instruct the firewall to use the source IP address associated with the egress interface for the corresponding ISP. This ensures that the outbound traffic has the correct source IP address.
  • Add a static route to the backup ISP, so that when the primary ISP is unavailable, the default route comes into effect and the traffic is directed through the backup ISP.
PBF.png
  1. Configure the ingress and the egress interfaces on the firewall.
    Egress interfaces can be in the same zone.
    1. Select NetworkInterfaces and then select the interface you want to configure, for example, Ethernet1/1 and Ethernet1/3.
      The interface configuration on the firewall used in this example is as follows:
      • Ethernet 1/1 connected to the primary ISP:
        • Zone: TwoISP
        • IP Address: 1.1.1.2/30
        • Virtual Router: Default
      • Ethernet 1/3 connected to the backup ISP:
        • Zone: TwoISP
        • IP Address: 2.2.2.2/30
        • Virtual Router: Default
      • Ethernet 1/2 is the ingress interface, used by the network clients to connect to the internet:
        • Zone: Corporate
        • IP Address: 192.168. 54.1/24
        • Virtual Router: Default
    2. To save the interface configuration, click OK.
  2. On the virtual router, add a static route to the backup ISP.
    1. Select NetworkVirtual Router and then select the default link to open the Virtual Router dialog.
    2. Select the Static Routes tab and click Add. Enter a Name for the route and specify the Destination IP address for which you are defining the static route. In this example, we use 0.0.0.0/0 for all traffic.
    3. Select the IP Address radio button and set the Next Hop IP address for your router that connects to the backup internet gateway (you cannot use a domain name for the next hop). In this example, 2.2.2.1.
    4. Specify a cost metric for the route. In this example, we use 10.
      static_to_ISP_B.PNG
    5. Click OK twice to save the virtual router configuration.
  3. Create a PBF rule that directs traffic to the interface that is connected to the primary ISP.
    Make sure to exclude traffic destined to internal servers/IP addresses from PBF. Define a negate rule so that traffic destined to internal IP addresses is not routed through the egress interface defined in the PBF rule.
    1. Select PoliciesPolicy Based Forwarding and click Add.
    2. Give the rule a descriptive Name in the General tab.
    3. In the Source tab, set the Source Zone to Corporate.
    4. In the Destination/Application/Service tab, set the following:
      1. In the Destination Address section, Add the IP addresses or address range for servers on the internal network or create an address object for your internal servers. Select Negate to exclude the IP addresses or address object listed above from using this rule.
      2. In the Service section, Add the service-http and service-https services to allow HTTP and HTTPS traffic to use the default ports. For all other traffic that is allowed by security policy, the default route will be used.
        To forward all traffic using PBF, set the Service to Any.
        negate_dest_IP.PNG
  4. Specify where to forward traffic.
    1. In the Forwarding tab, specify the interface to which you want to forward traffic and enable path monitoring.
    2. To forward traffic, set the Action to Forward, and select the Egress Interface and specify the Next Hop. In this example, the egress interface is ethernet1/1, and the next hop IP address is 1.1.1.1 (you cannot use a FQDN for the next hop).
      forward_PBF.PNG
    3. Enable Monitor and attach the default monitoring profile to trigger a failover to the backup ISP. In this example, we do not specify a target IP address to monitor. The firewall will monitor the next hop IP address; if this IP address is unreachable, the firewall will direct traffic to the default route specified on the virtual router.
    4. (Required if you have asymmetric routes) Select Enforce Symmetric Return to ensure that return traffic from the Corporate zone to the internet is forwarded out on the same interface through which traffic ingressed from the internet.
    5. NAT ensures that the traffic from the internet is returned to the correct interface/IP address on the firewall.
    6. Click OK to save the changes.
    PBF_rule_one.png
  5. Create NAT rules based on the egress interface and ISP. These rules ensure that the correct source IP address is used for outbound connections.
    1. Select PoliciesNAT and click Add.
    2. In this example, the NAT rule we create for each ISP is as follows:
      NAT for Primary ISP
      In the Original Packet tab,
      Source Zone: Corporate
      Destination Zone: TwoISP
      In the Translated Packet tab, under Source Address Translation
      Translation Type: Dynamic IP and Port
      Address Type: Interface Address
      Interface: ethernet1/1
      IP Address: 1.1.1.2/30
      NAT for Backup ISP
      In the Original Packet tab,
      Source Zone: Corporate
      Destination Zone: TwoISP
      In the Translated Packet tab, under Source Address Translation
      Translation Type: Dynamic IP and Port
      Address Type: Interface Address
      Interface: ethernet1/2
      IP Address: 2.2.2.2/30
      src_nat_withPBF.PNG
  6. Create security policy to allow outbound access to the internet.
    To safely enable applications, create a simple rule that allows access to the internet and attach the security profiles available on the firewall.
    1. Select PoliciesSecurity and click Add.
    2. Give the rule a descriptive Name in the General tab.
    3. In the Source tab, set the Source Zone to Corporate.
    4. In the Destination tab, Set the Destination Zone to TwoISP.
    5. In the Service/ URL Category tab, leave the default application-default.
    6. In the Actions tab, complete these tasks:
      1. Set the Action Setting to Allow.
      2. Attach the default profiles for Antivirus, Anti-Spyware, Vulnerability Protection and URL Filtering, under Profile Setting.
    7. Under Options, verify that logging is enabled at the end of a session. Only traffic that matches a security rule is logged.
      security_policy.PNG
  7. Save the policies to the running configuration on the firewall.
    Click Commit.
  8. Verify that the PBF rule is active and that the primary ISP is used for internet access.
    1. Launch a web browser and access a web server. On the firewall check the traffic log for web-browsing activity.
    2. From a client on the network, use the ping utility to verify connectivity to a web server on the internet. and check the traffic log on the firewall.
      C:\Users\pm-user1>ping 198.51.100.6 
      Pinging 198.51.100.6 with 32 bytes of data: 
      Reply from 198.51.100.6: bytes=32 time=34ms TTL=117 
      Reply from 198.51.100.6: bytes=32 time=13ms TTL=117 
      Reply from 198.51.100.6: bytes=32 time=25ms TTL=117 
      Reply from 198.51.100.6: bytes=32 time=3ms TTL=117 
      Ping statistics for 198.51.100.6: 
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
      Approximate round trip times in milli-seconds: 
          Minimum = 3ms, Maximum = 34ms, Average = 18ms 
      verify_log_2.PNG
    3. To confirm that the PBF rule is active, use the following CLI command:
    admin@PA-NGFW> show pbf rule all 
    Rule       ID    Rule State Action   Egress IF/VSYS  NextHop 
    ========== === ========== ====== ==============  
    Use ISP-Pr 1 Active     Forward ethernet1/1 1.1.1.1 
  9. Verify that the failover to the backup ISP occurs and that the Source NAT is correctly applied.
    1. Unplug the connection to the primary ISP.
    2. Confirm that the PBF rule is inactive with the following CLI command:
      admin@PA-NGFW> show pbf rule all 
      Rule       ID    Rule State Action   Egress IF/VSYS  NextHop 
      ========== === ========== ====== ============== === 
      Use ISP-Pr 1 Disabled Forward ethernet1/1     1.1.1.1 
    3. Access a web server, and check the traffic log to verify that traffic is being forwarded through the backup ISP.
      verify_log_backupISP.PNG
    4. View the session details to confirm that the NAT rule is working properly.
      admin@PA-NGFW> show session all 
      --------------------------------------------------------- 
      ID Application    State   Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) 
      --------------------------------------------------------- 
      87212 ssl ACTIVE  FLOW  NS   192.168.54.56[53236]/Corporate/6  (2.2.2.2[12896]) vsys1 204.79.197.200[443]/TwoISP (204.79.197.200[443]) 
    5. Obtain the session identification number from the output and view the session details.
      The PBF rule is not used and hence is not listed in the output.
      admin@PA-NGFW> show session id 87212 
      Session           87212 
      c2s flow: 
                      source:      192.168.54.56 [Corporate] 
                      dst:         204.79.197.200 
                      proto:       6 
                      sport:       53236           dport:      443 
                      state:       ACTIVE          type:       FLOW 
                      src user:    unknown 
                      dst user:    unknown 
      s2c flow: 
                      source:      204.79.197.200 [TwoISP] 
                      dst:         2.2.2.2 
                      proto:       6 
                      sport:       443             dport:      12896 
                      state:       ACTIVE          type:       FLOW 
                      src user:    unknown 
                      dst user:    unknown 
      start time                    : Wed Nov5 11:16:10 2014 
              timeout                       : 1800 sec 
              time to live                  : 1757 sec 
              total byte count(c2s)         : 1918 
              total byte count(s2c)         : 4333 
              layer7 packet count(c2s)      : 10 
              layer7 packet count(s2c)      : 7 
              vsys                          : vsys1 
              application                   : ssl 
              rule                          : Corp2ISP 
              session to be logged at end   : True 
              session in session ager       : True 
              session synced from HA peer   : False 
              address/port translation      : source 
              nat-rule                      : NAT-Backup ISP(vsys1) 
              layer7 processing             : enabled 
              URL filtering enabled         : True 
              URL category                  : search-engines 
              session via syn-cookies       : False 
              session terminated on host    : False 
              session traverses tunnel      : False 
              captive portal session        : False 
              ingress interface             : ethernet1/2        egress interface              : ethernet1/3 
              session QoS rule              : N/A (class 4) 

Related Documentation