Palo Alto Networks Policy-Based Forwarding (PBF)

Questions and Answers

PDF Questions PDF Answers

What does Palo Alto Networks recommend regarding adding specific applications in PBF rules?

Avoid adding specific applications to improve firewall performance.

Add specific applications for better egress interface control.

Avoid adding specific applications to account for delays in application identification. (correct)

Add specific applications to ensure immediate identification.

Why might a PBF rule that specifies the application YouTube not be forwarded correctly initially?

The destination IP address is not cached properly.

The initial packets are insufficient for the firewall to fully identify the application. (correct)

The firewall is experiencing a connectivity issue.

The firewall is overloaded with processing too many packets.

What does the firewall do after fully identifying an application?

It adds more complexity to the application identification process.

It discards the destination IP, port, and protocol information.

It uses the cached information to immediately identify the application for subsequent connections. (correct)

It resets all PBF rules related to that application.

What is a concern when adding specific applications in PBF rules?

Delay in rule processing due to multiple packet requirements for application identification.

How does the firewall initially identify YouTube traffic before fully identifying it?

As web-browsing traffic.

What role does the Forwarding tab play in specifying packet forwarding options?

Specifying packet forwarding options.

Why is it important for a PBF rule to cache destination IP, port, and protocol information?

To enable immediate identification of applications for subsequent connections.

What can be a consequence of not receiving enough packets for a PBF rule to match the most appropriate application?

Decreased network security due to unidentified applications.

What should be avoided when setting up PBF rules according to Palo Alto Networks?

Adding specific applications imprudently.

What is one of the reasons to avoid adding specific applications in PBF rules?

To prevent misidentification of applications during initial packet processing.

Study Notes

Policy-Based Forwarding (PBF)

• PBF enables sending applications that do not use encrypted traffic over a private leased line, while other traffic is sent over an internet link.
• Alternatively, PBF can route business-critical applications over the leased line and other traffic over the internet link.

PBF Rules

• PBF rules use match criteria to match traffic, including source zone or interface, source user, source or destination IP address, application, or destination port.
• PBF rules enable specifying an outgoing interface.
• PBF rules do not apply to traffic originating from the firewall, such as IPsec VPN, GlobalProtect, or virtual router traffic.

PBF Path Monitoring

• PBF path monitoring enables the firewall to verify network path connectivity to an external IP address.
• The firewall uses ICMP pings as heartbeats to verify that the specified IP address is reachable.
• A Monitoring Profile specifies the threshold number of heartbeats to determine whether the external IP address is reachable.

Configuring PBF Policies

• To create a PBF rule, browse to Policies > Policy Based Forwarding and click Add.
• Specify the egress interface and IP address used to forward traffic.
• Specify source zone, address, user, and destination address, application, or port to match traffic.

Considerations for PBF Rules

• Avoid specifying specific applications in PBF rules, as the firewall may not initially identify the application correctly.
• The firewall caches destination IP, port, and protocol information to identify applications for subsequent connections.

Description

Learn about how Palo Alto Networks Policy-Based Forwarding (PBF) can be used to route specific types of traffic over different network links for enhanced security or performance. Understand the limitations of PBF and which types of traffic it does not apply to.