① Why PBF exists — when the FIB is "right" but wrong
Palo Alto's default behaviour: every packet hits a destination-based FIB lookup, takes the best route, exits the chosen interface. Clean. Predictable. But sometimes you need policy to override routing — say, you want all guest-WiFi → internet traffic forced over the cheap ISP2 link while corp-LAN → internet stays on the premium ISP1 link, even though both have a default route to 0.0.0.0/0.
That's PBF. A PBF rule matches on the same kind of attributes as a security rule — source zone, source/dest IP, application, user, service — and instead of "allow / deny" the action is forward via egress interface + next-hop. PBF is evaluated before the FIB lookup. If a PBF rule matches, the FIB is bypassed for that packet. If no PBF rule matches, the FIB takes over as usual.
PBF rule lookup happens before the destination-FIB lookup. A matching PBF rule overrides the FIB. No-match → fall through to FIB. Order matters.
Match per src-zone, src/dst IP, application, user, service. Action = forward (egress IF + next-hop) or discard or no-PBF. Stateful — first-packet binds the session to the chosen path.
Optional health-check on the PBF rule — pings an IP via the egress interface. If unreachable, action can fail back to FIB (recommended) or drop. The whole point of monitor-target is automatic failover.
Forces return traffic out the same interface it arrived on — pinned by source MAC, not by FIB. Critical for inbound dual-ISP flows where the FIB would pick the wrong ISP for the reply.
Sneha at Infosys configures one PBF rule (guest WiFi → ISP2) and leaves a default route in the FIB pointing to ISP1. A guest laptop sends a packet. Which lookup happens FIRST?
② Watch a packet hit a PBF rule — and what happens next
Eight stages from ingress to egress, with the PBF rule applied. Press Play to see how the firewall sequences the lookups.
▶ PBF decision walker — Guest WiFi out to ISP2
A guest laptop sends a packet to 8.8.8.8:443. PBF says "guest-zone → use ISP2", FIB default-route still says "send everything via ISP1".
guest-wifi.4.2.2.2 via ethernet1/3 is up → PBF action proceeds
198.51.100.1
198.51.100.10 (ISP2's public IP)
Every production PBF rule should have a Monitor Target configured — an IP that's reachable only via the chosen egress interface (your ISP gateway IP, or an upstream loopback). When the target fails, set the action to fall back to FIB so packets re-route over the surviving link instead of getting dropped. Monitor interval = 3 sec / threshold = 5 misses is a sane default. Tighter for VoIP, looser for noisy links.
What can a PBF rule actually do?
Send via specific egress interface + next-hop IP. The main use case. Combine with monitor-target for failover.
Drop matching packets at the PBF stage. Useful as a pre-security blackhole for known-bad src/dst — drop earlier in the pipeline = less CPU.
Explicit "skip PBF" action — let the FIB handle this match. Useful as a top-of-rulebase carve-out (e.g. exempt VPN traffic from a broader PBF rule below).
A flag on a Forward action — return traffic for the session is pinned to the same ingress interface using the source MAC. Required for dual-ISP inbound flows.
Rahul at TCS sets up a PBF rule to send branch-VPN traffic via ISP2. He sees in the logs that traffic still uses ISP1 sometimes. After investigation, the monitor target was down for those moments. What is the most likely root cause of traffic still flowing?
③ Symmetric Return — when the FIB picks the wrong way home
Imagine an inbound web request lands on ISP2's public IP. The firewall accepts the session, hands it to the internal web server. The server replies — and PAN-OS does an FIB lookup for the reply's destination IP (the internet client). The FIB picks the default route, which usually points at ISP1. Reply goes out ISP1. Client sees a packet with a different source IP than the one it sent to. TCP drops it. Application breaks. Welcome to asymmetric routing.
Symmetric Return fixes this. Tick the flag on a PBF rule, and PAN-OS remembers — per session — the source MAC of the device that sent the first packet. When the reply leaves, PAN-OS ignores the FIB and ARP-resolves back to that same MAC. Reply takes the same path the original packet came in on. Symmetric. Stateful. Survives.
▶ Symmetric Return rescues a dual-ISP inbound flow
A user from the internet hits the company's webapp on ISP2's public IP. Without Symmetric Return, the reply would take ISP1 and break.
10.50.5.10 → security rule allows → packet enters DMZ
200 OK to the client. Reply hits the firewall on the DMZ interface.
The return-mac table holds one entry per unique next-hop MAC the firewall has seen for symmetric-return sessions. Its size = half of the ARP table size, hard-coded per platform — not user-configurable. When full, new symmetric-return sessions silently get no return-MAC resolution and their reply packets are dropped. No log, no syslog, no SNMP alert. On a PA-3220 the limit is in the low thousands; on busy edge firewalls with many inbound flows it gets hit. Check with show pbf return-mac all | match Used · clear with clear pbf return-mac all · fix permanently by reducing Symmetric Return scope (only apply to the inbound-needed rules), upgrading platform, or splitting via multi-VR (next section).
Priya at HCL configures Symmetric Return on a PBF rule for inbound traffic on ISP2. After two weeks, ~3% of inbound sessions to ISP2-hosted servers suddenly hang. show pbf return-mac all shows the used count is at the model limit. What's the most accurate explanation and fix?
show pbf return-mac all. Immediate relief: clear the table. Long-term: trim the PBF rule to only the flows that truly need symmetric return, or — much better for scale — restructure with multiple virtual routers so the return path is governed by routing, not by Symmetric Return.④ Multi-VR — when PBF starts to hurt and routing should take over
PBF is great for tactical overrides. But once your rule count grows, or you need full BGP per ISP, or your Symmetric Return tables fill up, the right answer is to stop fighting the FIB and split it: create a virtual router per ISP. Each VR has its own RIB, its own default route, its own BGP / OSPF process. You stitch them together with next-vr static routes.
Holds internal LAN subnets, internal routing (OSPF/BGP). Default route → next-vr VR-ISP1 for outbound; static returns from VR-ISP1/VR-ISP2 land here.
Only the ISP1 uplink interface lives here. Default route → ISP1 next-hop. Static return for internal subnets → next-vr VR-Internal. Optional BGP peer with ISP1.
Only the ISP2 uplink interface lives here. Default route → ISP2 next-hop. Static return for internal subnets → next-vr VR-Internal. Path-isolation by design.
The next-vr static-route construct hands a packet from one VR's FIB to another's FIB lookup — no extra interface needed. The "wire" between virtual routers in the same chassis.
Why multi-VR is the right answer for inbound dual-ISP
An inbound flow landing on ISP2 is routed by VR-ISP2's FIB (default-route via ISP2). When the server replies, the reply enters VR-Internal — but VR-Internal's only route back to the internet client is via next-vr VR-ISP2 (because the source IP of the original request was learned via VR-ISP2's interface, not VR-ISP1's). Routing does the symmetric-return work for free. No PBF rule. No return-mac table. No silent drops at scale.
# VR-Internal
set network virtual-router VR-Internal interface [ ethernet1/1 ethernet1/2 ]
set network virtual-router VR-Internal routing-table ip static-route Default \
destination 0.0.0.0/0 nexthop next-vr VR-ISP1
# VR-ISP1
set network virtual-router VR-ISP1 interface [ ethernet1/4 ]
set network virtual-router VR-ISP1 routing-table ip static-route Default-ISP1 \
destination 0.0.0.0/0 nexthop ip-address 203.0.113.1
set network virtual-router VR-ISP1 routing-table ip static-route Internal \
destination 10.0.0.0/8 nexthop next-vr VR-Internal
# VR-ISP2 (symmetric to VR-ISP1)
set network virtual-router VR-ISP2 interface [ ethernet1/5 ]
set network virtual-router VR-ISP2 routing-table ip static-route Default-ISP2 \
destination 0.0.0.0/0 nexthop ip-address 198.51.100.1
set network virtual-router VR-ISP2 routing-table ip static-route Internal \
destination 10.0.0.0/8 nexthop next-vr VR-Internal
PBF when: you need to override routing for a handful of well-scoped flows (guest WiFi, specific app to specific egress, on-the-fly diversion). Low rule count, low complexity, monitor-target works.
Multi-VR when: full dual-ISP with both directions, BGP per ISP, server publishing on multiple ISPs, large Symmetric Return scope (return-mac risk), need clean per-ISP RIB visibility, planning to add a third ISP or MPLS link later.
Many production designs end up with both: multi-VR for the structural per-ISP routing, plus a small PBF policy for guest-WiFi or a specific app override.
Karthik at Flipkart inherits a single-VR firewall with 30+ PBF rules and constant return-mac alarms. He proposes redesigning to one VR per ISP (3 ISPs) plus VR-Internal. Which statement is most accurate about this redesign?
next-vr stitches them. Returns route naturally back through the correct ISP because internal-to-external routes are pre-installed per VR. PBF reduces to a small set of tactical overrides. Trade-off: more upfront routing design + discipline to keep per-VR static routes in sync.⑤ Two commands you'll actually run during a PBF incident
test pbf-policy-match from trust-lan to untrust-isp2 source 192.168.99.45 destination 8.8.8.8 application ssl protocol 6 destination-port 443
Guest-to-ISP2 {
from guest-wifi;
source any;
destination any;
application any;
action forward;
nexthop 198.51.100.1;
egress ethernet1/3;
monitor 4.2.2.2 (status: up);
}
show pbf return-mac all show pbf rule all
Schedule a planned maintenance and run clear pbf return-mac all during low traffic. Watch show pbf return-mac all | match Used to confirm the table re-populates cleanly. This proves your monitor-target + symmetric-return config will recover automatically. The first time you do this in production should NOT be at 2 AM with users yelling.
🤖 Ask the AI Tutor
Tap any question — instant context-aware answer. No login, no waiting.
Pre-curated answers from PAN-OS 11.x docs + LIVECommunity TAC threads.
📝 Wrap-up — six more
You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.
📚 Sources
- Palo Alto Docs — Policy-Based Forwarding. docs.paloaltonetworks.com (network-security/security-policy/administration/policy-based-forwarding)
- Palo Alto Docs — Egress Path and Symmetric Return (PAN-OS 11.1). docs.paloaltonetworks.com
- Palo Alto Docs — Use Case: PBF for Outbound Access with Dual ISPs. docs.paloaltonetworks.com
- Palo Alto KB — Forwarding fails for specific traffic that matches a PBF rule. knowledgebase.paloaltonetworks.com
- LIVECommunity — Policy-Based Forwarding Symmetric Return Overview. live.paloaltonetworks.com/t5/general-articles/ta-p/545067
- LIVECommunity — What happens when the return-mac limit is reached when using symmetric routing? td-p/70987
- LIVECommunity — Dual ISP and PBF with single or multiple Virtual Routers. td-p/496236
- Weberblog — Policy Based Forwarding on a Palo Alto with different Virtual Routers. weberblog.net
What's next?
Next up: IPSec Site-to-Site VPN — IKEv1 vs IKEv2, the two-phase SA negotiation, proxy-ID mismatch (the AWS/Azure heartbreaker), DPD, and route-based vs policy-based VPN. Includes a guided link to the Techclick IPSec simulator.