Policy-Based Forwarding in Palo Alto Networks Firewalls

Overview

Policy-Based Forwarding (PBF) allows administrators to override the default routing behavior of the firewall by directing traffic to specific egress interfaces based on defined criteria. This is particularly useful in scenarios involving multiple ISPs, traffic segregation, or enforcing specific routing policies that differ from the routing table's decisions.

Interaction with Static Routes

When both PBF and static routes are configured:

PBF rules take precedence over the routing table. If a packet matches a PBF rule, it's forwarded according to that rule, bypassing the routing table.
If no PBF rule matches, the firewall consults the routing table to determine the packet's path.

This hierarchy allows for granular control over specific traffic flows while maintaining general routing behavior for other traffic.

Primary and Backup ISP Scenario

In environments with dual ISPs, PBF can be employed to direct traffic through the primary ISP. If the primary path becomes unavailable, the firewall can fail over to the secondary ISP using either:

Secondary PBF Rule: A backup PBF rule with a lower priority that directs traffic through the secondary ISP.
Static Route: A default route in the routing table pointing to the secondary ISP, which is used when no PBF rule matches.

Path monitoring can be configured to monitor the health of the primary path and trigger failover mechanisms when necessary.

Path Monitoring Failover Criteria

Path monitoring in PBF uses ICMP pings to a specified IP address to verify path availability. Key parameters include:

Ping Interval: Frequency of ICMP pings (default: 3 seconds).
Ping Count: Number of consecutive failed pings before considering the path down (default: 5).

Upon detecting a path failure, actions can be configured as:

Disable Rule: The PBF rule is disabled, and the routing table determines the path.
Failover: Traffic is redirected according to a backup PBF rule or the routing table.
Wait-Recover: Existing sessions continue on the current path, while new sessions use the routing table.

These actions ensure minimal disruption and maintain traffic flow during path failures.

Match Criteria for PBF Rules

PBF rules can match traffic based on various attributes:

Source Zone or Interface
Source Address
Destination Address
Application (Note: Application-based matching is not recommended due to the need for initial packets to identify the application.)
Service (Port)
Source User

By defining these criteria, administrators can create precise forwarding policies tailored to specific network requirements.

Next Hop Options in Policy-Based Forwarding

When configuring a Policy-Based Forwarding (PBF) rule, the Next Hop determines where the firewall forwards matching packets. The available options are:

IP Address: Specify a static IP address or select an address object of type IP Netmask. For IPv4, the address object must have a /32 netmask; for IPv6, a /128 netmask is required. This option directs traffic to a specific IP address.
FQDN: Enter a Fully Qualified Domain Name (FQDN) or select/create an address object of type FQDN. The FQDN can resolve to IPv4, IPv6, or both. If both are resolved, the PBF rule will have two next hops: one for IPv4 and one for IPv6. IPv4 traffic is forwarded to the IPv4 next hop, and IPv6 traffic to the IPv6 next hop.
- The resolved IP address must belong to the same subnet as the configured egress interface; otherwise, the firewall rejects the resolution, and the FQDN remains unresolved.
- The firewall uses only one IP address (per IP family) from the DNS resolution. If multiple addresses are returned, the firewall selects the first address in the DNS response and retains it as the preferred address as long as it appears in subsequent responses.
None: Selecting 'None' means the firewall uses the packet's destination IP address as the next hop. This is applicable when the destination is directly reachable through the specified egress interface. If the destination IP is not in the same subnet as the egress interface, forwarding fails.

These options provide flexibility in directing traffic based on specific network requirements.

Action Options in Policy-Based Forwarding

When configuring a PBF rule, the Action determines how the firewall handles packets that match the rule's criteria. The available actions are:

Forward: Directs the matching packet to the specified Egress Interface and Next Hop . This action overrides the routing table, allowing for customized traffic paths.
Forward to VSYS: (Applicable in multi-virtual system environments) Forwards the packet to a specified virtual system (VSYS) within the firewall. This facilitates inter-VSYS traffic management.
Discard: Drops the matching packet without further processing. This action is useful for blocking specific traffic flows based on defined criteria.
No PBF: Excludes the matching packet from PBF processing. Instead, the firewall uses the routing table to determine the packet's path. This action is beneficial when you want certain traffic to follow standard routing, even if it matches broader PBF rules.

Selecting the appropriate action ensures that traffic is handled according to your network's design and policy requirements.

Best Practices

Use Application Matching Cautiously: Since application identification requires initial packet inspection, it's advisable to use service (port) matching for PBF rules.
Implement Path Monitoring: Always configure path monitoring for PBF rules to ensure automatic failover in case of path failures.
Prioritize PBF Rules: Arrange PBF rules in order of specificity, with more specific rules placed higher in the list.
Combine with Static Routes: Use static routes as a fallback mechanism when PBF rules are disabled or do not match.