Use Case: PBF for Outbound Access with Dual ISPs
In this use case, the branch office has a dual ISP configuration and implements PBF for redundant Internet access. The backup ISP is the default route for traffic from the client to the web servers. In order to enable redundant Internet access without using an internetwork protocol such as BGP, we use PBF with destination interface-based source NAT and static routes, and configure the firewall as follows:
Enable a PBF rule that routes traffic through the primary ISP, and attach a monitoring profile to the rule. The monitoring profile triggers the firewall to use the default route through the backup ISP when the primary ISP is unavailable. Define Source NAT rules for both the primary and backup ISP that instruct the firewall to use the source IP address associated with the egress interface for the corresponding ISP. This ensures that the outbound traffic has the correct source IP address. Add a static route to the backup ISP, so that when the primary ISP is unavailable, the default route comes into effect and the traffic is directed through the backup ISP.
.
PBF for Outbound Access with Dual ISPs
Configure the ingress and the egress interfaces on the firewall. Egress interfaces can be in the same zone. In this example we assign the egress interfaces to different zones. Select Network > Interfaces and then select the interface you want to configure, for example, Ethernet1/1 and Ethernet1/3. The interface configuration on the firewall used in this example is as follows: Ethernet 1/1 connected to the primary ISP: Zone: ISP-East IP Address:1.1.1.2/30 Virtual Router: Default Ethernet 1/3 connected to the backup ISP: Zone: ISP-West IP Address:2.2.2.2/30 Virtual Router: Default Ethernet 1/2 is the ingress interface, used by the network clients to connect to the Internet: Zone: Trust IP Address:192.168. 54.1/24 Virtual Router: Default To save the interface configuration, click OK.
On the virtual router, add a static route to the backup ISP. Select Network > Virtual Router and then select the default link to open the Virtual Router dialog. Select the Static Routes tab and click Add. Enter a Name for the route and specify the Destination IP address for which you are defining the static route. In this example, we use 0.0.0.0/0 for all traffic. Select the IP Address radio button and set the Next Hop IP address for your router that connects to the backup Internet gateway. In this example, 2.2.2.1. Specify a cost metric for the route. In this example, we use 10.
Click OK twice to save the virtual router configuration.
Create a PBF rule that directs traffic to the interface that is connected to the primary ISP. Make sure to exclude traffic destined to internal servers/IP addresses from PBF. Define a negate rule so that traffic destined to internal IP addresses is not routed through the egress interface defined in the PBF rule. Select Policies > Policy Based Forwarding and click Add. Give the rule a descriptive Name in the General tab. In the Source tab, set the Source Zone to Trust. In the Destination/Application/Service tab, set the following: In the Destination Address section, Add the IP addresses or address range for servers on the internal network or create an address object for your internal servers. Select Negate to exclude the IP addresses or address object listed above from using this rule. In the Service section, Add the service-http and service-https services to allow HTTP and HTTPS traffic to use the default ports. For all other traffic that is allowed by security policy, the default route will be used. To forward all traffic using PBF, set the Service to Any.
In the Forwarding tab, specify the interface to which you want to forward traffic and enable path monitoring. To forward traffic, set the Action to Forward, and select the Egress Interface and specify the Next Hop. In this example, the egress interface is ethernet1/1, and the next hop IP address is 1.1.1.1.
Enable Monitor and attach the default monitoring profile, to trigger a failover to the backup ISP. In this example, we do not specify a target IP address to monitor. The firewall will monitor the next hop IP address; if this IP address is unreachable the firewall will direct traffic to the default route specified on the virtual router. (Required if you have asymmetric routes). Select Enforce Symmetric Return to ensure that return traffic from the Trust zone to the Internet is forwarded out on the same interface through which traffic ingressed from the Internet. NAT ensures that the traffic from the Internet is returned to the correct interface/IP address on the firewall. Click OK to save the changes.
Create NAT rules based on the egress interface and ISP. These rules ensure that the correct source IP address is used for outbound connections. Select Policies > NAT and click Add. In this example, the NAT rule we create for each ISP is as follows: NAT for Primary ISP In the Original Packet tab, Source Zone: Trust Destination Zone: ISP-West In the Translated Packet tab, under Source Address Translation Translation Type: Dynamic IP and Port Address Type: Interface Address Interface: ethernet1/1 IP Address: 1.1.1.2/30 NAT for Backup ISP In the Original Packet tab, Source Zone: Trust Destination Zone: ISP-East In the Translated Packet tab, under Source Address Translation Translation Type: Dynamic IP and Port Address Type: Interface Address Interface: ethernet1/3 IP Address: 2.2.2.2/30
Create security policy to allow outbound access to the Internet. To safely enable applications, create a simple rule that allows access to the Internet and attach the security profiles available on the firewall. Select Policies > Security and click Add. Give the rule a descriptive Name in the General tab. In the Source tab, set the Source Zone to Trust. In the Destination tab, Set the Destination Zone to ISP-East and ISP-West. In the Service/ URL Category tab, leave the default application-default. In the Actions tab, complete these tasks: Set the Action Setting to Allow. Attach the default profiles for antivirus, anti-spyware, vulnerability protection and URL filtering, under Profile Setting. Under Options, verify that logging is enabled at the end of a session. Only traffic that matches a security rule is logged.
Save the policies to the running configuration on the device. Click Commit.
Verify that the PBF rule is active and that the primary ISP is used for Internet access. Launch a web browser and access a web server. On the firewall check the traffic log for web-browsing activity.
From a client on the network, use the ping utility to verify connectivity to a web server on the Internet. and check the traffic log on the firewall. C:\Users\pm-user1> ping 4.2.2.1 Pinging 4.2.2.1 with 32 bytes of data: Reply from 4.2.2.1: bytes=32 time=34ms TTL=117 Reply from 4.2.2.1: bytes=32 time=13ms TTL=117 Reply from 4.2.2.1: bytes=32 time=25ms TTL=117 Reply from 4.2.2.1: bytes=32 time=3ms TTL=117 Ping statistics for 4.2.2.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 3ms, Maximum = 34ms, Average = 18ms
To confirm that the PBF rule is active, use the CLI command show pbf rule all admin@PA-NGFW> show pbf rule all Rule ID Rule State Action Egress IF/VSYS NextHop ========== === ========== ====== ============== ======= Use ISP-Pr 1 Active Forward ethernet1/1 1.1.1.1
Verify that the failover to the backup ISP occurs and that the Source NAT is correctly applied. Unplug the connection to the primary ISP. Confirm that the PBF rule is inactive with the CLI command show pbf rule all admin@PA-NGFW> show pbf rule all Rule ID Rule State Action Egress IF/VSYS NextHop ========== === ========== ====== ============== ======= Use ISP-Pr 1 Disabled Forward ethernet1/1 1.1.1.1 Access a web server, and check the traffic log to verify that traffic is being forwarded through the backup ISP.
View the session details to confirm that the NAT rule is working properly. admin@PA-NGFW> show session all --------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) --------------------------------------------------------- 87212 ssl ACTIVE FLOW NS 192.168.54.56[53236]/Trust/6 (2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East (204.79.197.200[443]) Obtain the session identification number from the output and view the session details. Note that the PBF rule is not used and hence is not listed in the output. admin@PA-NGFW> show session id 87212 Session 87212 c2s flow: source: 192.168.54.56 [Trust] dst: 204.79.197.200 proto: 6 sport: 53236 dport: 443 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 204.79.197.200 [ISP-East] dst: 2.2.2.2 proto: 6 sport: 443 dport: 12896 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Wed Nov5 11:16:10 2014 timeout : 1800 sec time to live : 1757 sec total byte count(c2s) : 1918 total byte count(s2c) : 4333 layer7 packet count(c2s) : 10 layer7 packet count(s2c) : 7 vsys : vsys1 application : ssl rule : Trust2ISP session to be logged at end : True session in session ager : True session synced from HA peer : False address/port translation : source nat-rule : NAT-Backup ISP(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : search-engines session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/3 session QoS rule : N/A (class 4)

Related Documentation