Use Case: PBF for Outbound Access with Dual ISPs

In this use case, the branch office has a dual ISP configuration and implements PBF for redundant internet access. The backup ISP is the default route for traffic from the client to the web servers. In order to enable redundant internet access without using an internetwork protocol such as BGP, we use PBF with destination interface-based source NAT and static routes, and configure the firewall as follows:
  • Enable a PBF rule that routes traffic through the primary ISP, and attach a monitoring profile to the rule. The monitoring profile triggers the firewall to use the default route through the backup ISP when the primary ISP is unavailable.
  • Define Source NAT rules for both the primary and backup ISP that instruct the firewall to use the source IP address associated with the egress interface for the corresponding ISP. This ensures that the outbound traffic has the correct source IP address.
  • Add a static route to the backup ISP, so that when the primary ISP is unavailable, the default route comes into effect and the traffic is directed through the backup ISP.
PBF.png
  1. Configure the ingress and the egress interfaces on the firewall.
    Egress interfaces can be in the same zone.
    1. Select
      Network
      Interfaces
      and then select the interface you want to configure, for example, Ethernet1/1 and Ethernet1/3.
      The interface configuration on the firewall used in this example is as follows:
      • Ethernet 1/1 connected to the primary ISP:
        • Zone: TwoISP
        • IP Address: 1.1.1.2/30
        • Virtual Router: Default
      • Ethernet 1/3 connected to the backup ISP:
        • Zone: TwoISP
        • IP Address: 2.2.2.2/30
        • Virtual Router: Default
      • Ethernet 1/2 is the ingress interface, used by the network clients to connect to the internet:
        • Zone: Corporate
        • IP Address: 192.168. 54.1/24
        • Virtual Router: Default
    2. To save the interface configuration, click
      OK
      .
  2. On the virtual router, add a static route to the backup ISP.
    1. Select
      Network
      Virtual Router
      and then select the
      default
      link to open the Virtual Router dialog.
    2. Select the
      Static Routes
      tab and click
      Add
      . Enter a
      Name
      for the route and specify the
      Destination
      IP address for which you are defining the static route. In this example, we use 0.0.0.0/0 for all traffic.
    3. Select the
      IP Address
      radio button and set the
      Next Hop
      IP address for your router that connects to the backup internet gateway (you cannot use a domain name for the next hop). In this example, 2.2.2.1.
    4. Specify a cost metric for the route. In this example, we use 10.
      static_to_ISP_B.PNG
    5. Click
      OK
      twice to save the virtual router configuration.
  3. Create a PBF rule that directs traffic to the interface that is connected to the primary ISP.
    Make sure to exclude traffic destined to internal servers/IP addresses from PBF. Define a negate rule so that traffic destined to internal IP addresses is not routed through the egress interface defined in the PBF rule.
    1. Select
      Policies
      Policy Based Forwarding
      and click
      Add
      .
    2. Give the rule a descriptive
      Name
      in the
      General
      tab.
    3. In the
      Source
      tab, set the
      Source Zone
      to Corporate.
    4. In the
      Destination/Application/Service
      tab, set the following:
      1. In the Destination Address section,
        Add
        the IP addresses or address range for servers on the internal network or create an address object for your internal servers. Select
        Negate
        to exclude the IP addresses or address object listed above from using this rule.
      2. In the Service section,
        Add
        the
        service-http
        and
        service-https
        services to allow HTTP and HTTPS traffic to use the default ports. For all other traffic that is allowed by security policy, the default route will be used.
        To forward all traffic using PBF, set the Service to
        Any
        .
        negate_dest_IP.PNG
  4. Specify where to forward traffic.
    1. In the
      Forwarding
      tab, specify the interface to which you want to forward traffic and enable path monitoring.
    2. To forward traffic, set the
      Action
      to
      Forward
      , and select the
      Egress Interface
      and specify the
      Next Hop
      . In this example, the egress interface is ethernet1/1, and the next hop IP address is 1.1.1.1 (you cannot use a FQDN for the next hop).
      forward_PBF.PNG
    3. Enable
      Monitor
      and attach the default monitoring profile to trigger a failover to the backup ISP. In this example, we do not specify a target IP address to monitor. The firewall will monitor the next hop IP address; if this IP address is unreachable, the firewall will direct traffic to the default route specified on the virtual router.
    4. (
      Required if you have asymmetric routes
      ) Select
      Enforce Symmetric Return
      to ensure that return traffic from the Corporate zone to the internet is forwarded out on the same interface through which traffic ingressed from the internet.
    5. NAT ensures that the traffic from the internet is returned to the correct interface/IP address on the firewall.
    6. Click
      OK
      to save the changes.
    PBF_rule_one.png
  5. Create NAT rules based on the egress interface and ISP. These rules ensure that the correct source IP address is used for outbound connections.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. In this example, the NAT rule we create for each ISP is as follows:
      NAT for Primary ISP
      In the
      Original Packet
      tab,
      Source Zone
      : Corporate
      Destination Zone
      : TwoISP
      In the
      Translated Packet
      tab, under Source Address Translation
      Translation Type
      : Dynamic IP and Port
      Address Type
      : Interface Address
      Interface
      : ethernet1/1
      IP Address
      : 1.1.1.2/30
      NAT for Backup ISP
      In the
      Original Packet
      tab,
      Source Zone
      : Corporate
      Destination Zone
      : TwoISP
      In the
      Translated Packet
      tab, under Source Address Translation
      Translation Type
      : Dynamic IP and Port
      Address Type
      : Interface Address
      Interface
      : ethernet1/2
      IP Address
      : 2.2.2.2/30
      src_nat_withPBF.PNG
  6. Create security policy to allow outbound access to the internet.
    To safely enable applications, create a simple rule that allows access to the internet and attach the security profiles available on the firewall.
    1. Select
      Policies
      Security
      and click
      Add
      .
    2. Give the rule a descriptive
      Name
      in the
      General
      tab.
    3. In the
      Source
      tab, set the
      Source Zone
      to Corporate.
    4. In the
      Destination
      tab, Set the
      Destination Zone
      to TwoISP.
    5. In the
      Service/ URL Category
      tab, leave the default
      application-default
      .
    6. In the
      Actions
      tab, complete these tasks:
      1. Set the
        Action Setting
        to
        Allow
        .
      2. Attach the default profiles for Antivirus, Anti-Spyware, Vulnerability Protection and URL Filtering, under
        Profile Setting.
    7. Under
      Options
      , verify that logging is enabled at the end of a session. Only traffic that matches a security rule is logged.
      security_policy.PNG
  7. Save the policies to the running configuration on the firewall.
    Click
    Commit
    .
  8. Verify that the PBF rule is active and that the primary ISP is used for internet access.
    1. Launch a web browser and access a web server. On the firewall, check the traffic log for web-browsing activity.
    2. From a client on the network, use the ping utility to verify connectivity to a web server on the internet, and check the traffic log on the firewall.
      C:\Users\pm-user1>
      ping 198.51.100.6
      Pinging 198.51.100.6 with 32 bytes of data: Reply from 198.51.100.6: bytes=32 time=34ms TTL=117 Reply from 198.51.100.6: bytes=32 time=13ms TTL=117 Reply from 198.51.100.6: bytes=32 time=25ms TTL=117 Reply from 198.51.100.6: bytes=32 time=3ms TTL=117 Ping statistics for 198.51.100.6: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 3ms, Maximum = 34ms, Average = 18ms
      verify_log_2.PNG
    3. To confirm that the PBF rule is active, use the following CLI command:
    admin@PA-NGFW>
    show pbf rule all
    Rule ID Rule State Action Egress IF/VSYS NextHop ========== === ========== ====== ============== Use ISP-Pr 1 Active Forward ethernet1/1 1.1.1.1
  9. Verify that the failover to the backup ISP occurs and that the Source NAT is correctly applied.
    1. Unplug the connection to the primary ISP.
    2. Confirm that the PBF rule is inactive with the following CLI command:
      admin@PA-NGFW>
      show pbf rule all
      Rule ID Rule State Action Egress IF/VSYS NextHop ========== === ========== ====== ============== === Use ISP-Pr 1 Disabled Forward ethernet1/1 1.1.1.1
    3. Access a web server, and check the traffic log to verify that traffic is being forwarded through the backup ISP.
      verify_log_backupISP.PNG
    4. View the session details to confirm that the NAT rule is working properly.
      admin@PA-NGFW>
      show session all
      --------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) --------------------------------------------------------- 87212 ssl ACTIVE FLOW NS 192.168.54.56[53236]/Corporate/6 (2.2.2.2[12896]) vsys1 204.79.197.200[443]/TwoISP (204.79.197.200[443])
    5. Obtain the session identification number from the output and view the session details.
      The PBF rule is not used and hence is not listed in the output.
      admin@PA-NGFW>
      show session id 87212
      Session 87212 c2s flow: source: 192.168.54.56 [Corporate] dst: 204.79.197.200 proto: 6 sport: 53236 dport: 443 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 204.79.197.200 [TwoISP] dst: 2.2.2.2 proto: 6 sport: 443 dport: 12896 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Wed Nov5 11:16:10 2014 timeout : 1800 sec time to live : 1757 sec total byte count(c2s) : 1918 total byte count(s2c) : 4333 layer7 packet count(c2s) : 10 layer7 packet count(s2c) : 7 vsys : vsys1 application : ssl rule : Corp2ISP session to be logged at end : True session in session ager : True session synced from HA peer : False address/port translation : source
      nat-rule : NAT-Backup ISP(vsys1)
      layer7 processing : enabled URL filtering enabled : True URL category : search-engines session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False
      ingress interface : ethernet1/2
      egress interface : ethernet1/3
      session QoS rule : N/A (class 4)

Related Documentation