01-22-2024 09:20 AM
Hi Community,
I want to configure new implementation to route certain source traffic via different interface. I have 2 OUTSIDE interfaces and 2 interface inside. I want to divide the outbound traffic via WAN and O-365. Load balancer will determine which IP is going to 2 of my inside interface. If user went to outlook or 365 it will follow path interface 1/3 & 1/4 and else, it will go to interface 1/1 & 1/2. current FMC and FTD version is 7.2.5.
1/1 - 133.133.1.22
1/2 - 211.25.10.50 (WAN)
1/3 - 10.10.11.100
1/4 - 202.168.100.2(O-365)
From extended I do:
Default : src-any, dest-Wan Gateway
O-365 : src-any, dest-O365 gateway
PBR :
Ingress- 1/1 | traffic match - Default | sent through - 1/2
Ingress- 1/3 | traffic match - O-365 | sent through - 1/4
Static Route:
Network-any, Interface 1/1, gateway 1/1, metric 1
Network-any, Interface 1/3, gateway 1/3, metric 1
Network-any, Interface 1/2, gateway 1/2, metric 20
Network-any, Interface 1/4, gateway 1/4, metric 20
I also configured ECMP for Interface WAN and O-365
From my setup below is it still need to configure at flexconfig FMC or is my configuration above is enough? Need your expertise to comment my setup.
01-22-2024 09:24 AM
FMC 7.1 onwards PBR configured using GUI - that is good enough to work :
check below guide :
01-22-2024 10:01 AM
Hi balaji,
I have follow this guide also but for path monitoring I dont configured as the two ISP have their own traffic. just my concern is from internal, most of the KB and guide show internal only have one interface but this have two. so I dont quite understand how Load balance will split the traffic to both of the internal interface.
01-22-2024 02:53 PM
I want to check how is your interface configuration and what zone they are ?
can you provide relevant config related to interface and PBR, Route
confirm except the PBR its generally working ?
01-22-2024 07:10 PM
both internal zone set as LAN and both ISP zone set as WAN
This is new implementation so no testing yet as this will be replace sonicwall PBR. most of Sonicwall PBR use PBR src-any, dst-any, interface-internal but gateway is 0.0.0.0, Cisco can do gateway 0.0.0.0 for interface?
01-22-2024 09:25 AM - edited 01-22-2024 09:28 AM
I dont think Load balance can load traffic in your case since all traffic pass to FW and from there must flow to correct path.
So You need flexconfig and config pbr.
Note:- now fmc support directly fmc no need pbr' it depend on fmc version.
MHM
01-22-2024 10:03 AM
So meaning flexconfig also need to be configured? do you have guide to configured flexconfig?
01-22-2024 10:05 AM
but I see you comment that there your FMC support pbr so no need flexconfig
for two inside interface
config two PBR one for each inside interface
the ACL you can config it with permit any any
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide