Solved

Palo alto: FQDN policy based forwarding

Posted on 2014-12-15
3
1,221 Views
Last Modified: 2015-01-19
Hi.
I need to make a PBF using a FQDN as target. For example to send all the HTTP traffic thru the WAN1, but just the traffic to www.facebook.com thru the WAN2. Can I do that in Paloalto or in other Firewall?

Best
0
Comment
Question by:ipworkers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40501453
You can do this in PAN based on FQDN or the app ID.

So it can id the traffic as facebook and route it wherever you define.
0
 

Author Comment

by:ipworkers
ID: 40501721
Thanks Schuyler.
Can you send me some config screen shots?
As I now, the PaloAlto OS just can identify apps based on IP and the port (L3/4), and can't route based on a FQDN destination. Can you help me to clarify this?

Best
0
 
LVL 10

Accepted Solution

by:
Schuyler Dorsey earned 500 total points
ID: 40507180
The PANOS does *NOT* identify apps based on IP or port. When identifying an application, it does not care what IP or port is being used. For example, it will identify LDAP traffic regardless of whether it is on port 389 or 34232.

Here is an example rule of a PBF rule which chooses how to route traffic based on the destination being a FQDN object.

fqdn-pbf
You can also route based on application ID. Note you cannot route based on all of the available app IDs in the database but many of them. In this example, I chose ldap.

ldap-pbf
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question