Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Palo alto: FQDN policy based forwarding

Posted on 2014-12-15
3
Medium Priority
?
1,449 Views
Last Modified: 2015-01-19
Hi.
I need to make a PBF using a FQDN as target. For example to send all the HTTP traffic thru the WAN1, but just the traffic to www.facebook.com thru the WAN2. Can I do that in Paloalto or in other Firewall?

Best
0
Comment
Question by:ipworkers
  • 2
3 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40501453
You can do this in PAN based on FQDN or the app ID.

So it can id the traffic as facebook and route it wherever you define.
0
 

Author Comment

by:ipworkers
ID: 40501721
Thanks Schuyler.
Can you send me some config screen shots?
As I now, the PaloAlto OS just can identify apps based on IP and the port (L3/4), and can't route based on a FQDN destination. Can you help me to clarify this?

Best
0
 
LVL 10

Accepted Solution

by:
Schuyler Dorsey earned 2000 total points
ID: 40507180
The PANOS does *NOT* identify apps based on IP or port. When identifying an application, it does not care what IP or port is being used. For example, it will identify LDAP traffic regardless of whether it is on port 389 or 34232.

Here is an example rule of a PBF rule which chooses how to route traffic based on the destination being a FQDN object.

fqdn-pbf
You can also route based on application ID. Note you cannot route based on all of the available app IDs in the database but many of them. In this example, I chose ldap.

ldap-pbf
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question