article Policy-Based Forwarding Symmetric Return Overview in General Articles https://live.paloaltonetworks.com/t5/general-articles/policy-based-forwarding-symmetric-return-overview/ta-p/545067 <DIV class="lia-message-template-content-zone"> <P><SPAN><STRONG style="box-sizing: inherit; color: #1d1c1d; font-family: Slack-Lato, Slack-Fractions, appleLogo, sans-serif; font-size: 15px; font-style: normal; font-variant-ligatures: common-ligatures; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #f8f8f8; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" data-stringify-type="bold"><I data-stringify-type="italic">This article was created by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163113">@aalex</a>&nbsp;<BR /></I></STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN>Enabling symmetric return ensures that return traffic is forwarded out through the same interface through which traffic ingresses. This feature is useful when the requirement is to access servers through two ISP connections (on different ingress interfaces) and the return traffic must be routed through the ISP that originally routed the sessions.</SPAN><BR style="box-sizing: border-box; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>This feature is also required for asymmetric routing environments.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The feature is configured under<EM> Policies &gt; Policy Base Forwarding &gt; Open an existing rule<STRONG>, </STRONG>or click <STRONG>Add</STRONG> to create a new one &gt; Forwarding</EM>. Tick the <STRONG>Enforce Symmetric Return</STRONG> button </SPAN><SPAN>to enable the feature.</SPAN></P> <P><BR style="box-sizing: border-box; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>Note: If the client-to-server traffic does not need to be forwarded to a specific egress interface or next hop then the <EM>Forwarding &gt; Action</EM>&nbsp;</SPAN><SPAN>can be set to <STRONG>No PBF</STRONG>.</SPAN><SPAN> This prevents the alteration of the path that the client-to-server packets take, which lets the matching client-to-server packets use the normal route table path while the server-to-client packets still benefit from the symmetric return feature.</SPAN></P> <P><BR style="box-sizing: border-box; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN>Things to keep in mind regarding next hop addresses:</SPAN></P> <P>&nbsp;</P> <UL style="box-sizing: border-box; margin: 0px 0px 0.75rem 1.5rem; padding: 0px; list-style: disc; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">Configuring next hop addresses in the Next Hop Address List is optional, but forwarding may fail when Enforce Symmetric Return is enabled without a next hop address. Click<SPAN>&nbsp;</SPAN><STRONG><A style="box-sizing: border-box; color: #0070d2; background-color: transparent; cursor: pointer; outline: none; text-decoration: none; transition: color 0.1s linear 0s; touch-action: manipulation;" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5gCAC" target="_blank" rel="noopener">here</A>&nbsp;</STRONG>for more details.</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">Up to 8 next hop addresses can be defined per PBF rule.</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">PBF rules will not use the symmetric return option if the packet's source IP address is in the same subnet as the symmetric return address.</FONT></LI> </UL> <P>&nbsp;</P> <DIV id="tinyMceEditorkiwi_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorkiwi_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="kiwi_3-1686129028146.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50697i7EE5E6FC08947FEB/image-size/large?v=v2&amp;px=999" role="button" title="kiwi_3-1686129028146.png" alt="kiwi_3-1686129028146.png" /></span></DIV> <P>&nbsp;</P> <P><SPAN>The following command can be used to monitor the return-mac entry table:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">admin@VM-1&gt; show pbf return-mac all current pbf configuation version: 1 total return nexthop addresses : 0 index pbf id ver hw address ip address return mac egress port -------------------------------------------------------------------------------- maximum of ipv4 return mac entries supported : 1250 total ipv4 return mac entries in table : 0 total ipv4 return mac entries shown : 0 status: s - static, c - complete, e - expiring, i - incomplete pbf rule id ip address hw address port status ttl -------------------------------------------------------------------------------- maximum of ipv6 return mac entries supported : 500 total ipv6 return mac entries in table : 0 total ipv6 return mac entries shown : 0 status: s - static, c - complete, e - expiring, i - incomplete pbf rule id ip address hw address status --------------------------------------------------------------------------------</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P style="box-sizing: border-box; margin: 0px 0px 0.75rem; padding: 0px; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><FONT size="3">This return-mac table can be cleared manually with the following commands:</FONT></P> <P style="box-sizing: border-box; margin: 0px 0px 0.75rem; padding: 0px; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">&nbsp;</P> <P style="box-sizing: border-box; margin: 0px 0px 0.75rem; padding: 0px; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">&gt; clear pbf return-mac name &lt;value&gt; or &gt; clear pbf return-mac all</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P style="box-sizing: border-box; margin: 0px 0px 0.75rem; padding: 0px; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">&nbsp;</P> <P style="box-sizing: border-box; margin: 0px 0px 0.75rem; padding: 0px; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><FONT size="3">Notes regarding the return-mac table:</FONT></P> <UL style="box-sizing: border-box; margin: 0px 0px 0.75rem 1.5rem; padding: 0px; list-style: disc; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">The return-mac table size is always half of the ARP table entry size based on the firewall model. This capacity applies per device and is not limited per vsys.</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">The displayed entries in the table, as well as the total entries counter, only show the information from the current vsys.</FONT> <UL style="box-sizing: border-box; margin: 0px 0px 0.75rem 1.5rem; padding: 0px; list-style: circle;"> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">To change the vsys information being displayed, change to a different vsys and re-run the command:</FONT></LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">&gt; set system setting target-vsys &lt;vsys-name&gt; once done, set it back &gt; set system setting target-vsys none</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <UL style="box-sizing: border-box; margin: 0px 0px 0.75rem 1.5rem; padding: 0px; list-style: disc; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">The unused entries remain in the table for 30 minutes before getting timed out and flushed automatically.</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">If a symmetric return next hop address is<SPAN>&nbsp;</SPAN><EM style="box-sizing: border-box;">not<SPAN>&nbsp;</SPAN></EM>configured, then the packet's source MAC address is used as the return-mac.</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">If a symmetric return next hop address is configured, then the packet's source MAC address is also used as the return-mac, but if the return-mac table reaches 80% of its capacity then new return-mac entries are no longer populated in that table and the return-mac falls back to using the configured next hop's MAC address.</FONT> <UL style="box-sizing: border-box; margin: 0px 0px 0.75rem 1.5rem; padding: 0px; list-style: circle;"> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">If there are multiple IP addresses configured in the Next Hop Address List then the first one that is accessible (ARP resolved) will be selected as the next hop.</FONT></LI> </UL> </LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">There are no logs/alerts triggered once the return-mac entries threshold is reached.</FONT></LI> </UL> <P>&nbsp;</P> <P><SPAN>The following should also be noted when using the symmetric return feature:&nbsp;</SPAN></P> <P>&nbsp;</P> <UL style="box-sizing: border-box; margin: 0px 0px 0.75rem 1.5rem; padding: 0px; list-style: disc; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">The<SPAN>&nbsp;</SPAN><EM style="box-sizing: border-box;">Source &gt; Type</EM><SPAN>&nbsp;</SPAN>of the PBF rule must be an interface, not a zone.</FONT></LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="kiwi_4-1686129261081.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50698iEB3497FCA2140FB0/image-size/large?v=v2&amp;px=999" role="button" title="kiwi_4-1686129261081.png" alt="kiwi_4-1686129261081.png" /></span></P> <P>&nbsp;</P> <UL style="box-sizing: border-box; margin: 0px 0px 0.75rem 1.5rem; padding: 0px; list-style: disc; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">The symmetric return option can be used for all Layer-3 interfaces, except loopback interfaces. It is also supported for interfaces that have the IP address assigned dynamically (DHCP and PPoE).</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">The next hop address list is not supported for tunnel and PPoE interfaces.</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">If an interface has multiple PBF rules, only one rule can enforce symmetric return.</FONT></LI> <LI style="box-sizing: border-box; margin-left: 0px; padding-left: 0px;"><FONT size="3">If the same source IP address is expected to come in from different ingress interfaces, then the return traffic for this client may flap in between the ingress interfaces when hardware offloading is involved. It is suggested to configure separate symmetric-return PBF rules for each ingress interface to avoid this.</FONT></LI> </UL> <P>&nbsp;</P> <H4><SPAN class="fieldLabel">Additional Information</SPAN></H4> <P><BR style="box-sizing: border-box; color: #16325c; font-family: 'Salesforce Sans', Arial, sans-serif; font-size: 11.375px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN class="richTextArea slds-text-longform tile__title red-txt">Additional details about Symmetric Return configuration with examples can be found<SPAN>&nbsp;</SPAN><A style="box-sizing: border-box; color: #0070d2; background-color: transparent; cursor: pointer; outline: none; text-decoration: none; transition: color 0.1s linear 0s; touch-action: manipulation;" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK" target="_blank" rel="noopener">here</A>.<BR /><BR /></SPAN></P> Wed, 07 Jun 2023 18:15:34 GMT kiwi 2023-06-07T18:15:34Z Policy-Based Forwarding Symmetric Return Overview https://live.paloaltonetworks.com/t5/general-articles/policy-based-forwarding-symmetric-return-overview/ta-p/545067 <P><SPAN>Enabling symmetric return ensures that return traffic is forwarded out through the same interface through which traffic ingresses. This feature is useful when the requirement is to access servers through two ISP connections (on different ingress interfaces) and the return traffic must be routed through the ISP that originally routed the sessions.</SPAN></P> Wed, 07 Jun 2023 18:15:34 GMT https://live.paloaltonetworks.com/t5/general-articles/policy-based-forwarding-symmetric-return-overview/ta-p/545067 kiwi 2023-06-07T18:15:34Z Re: Policy-Based Forwarding Symmetric Return Overview https://live.paloaltonetworks.com/t5/general-articles/policy-based-forwarding-symmetric-return-overview/tac-p/596602#M746 <P>What happens if you use Source Zone instead of Source Interface while enabling Symmetric Return?</P> Tue, 03 Sep 2024 10:41:35 GMT https://live.paloaltonetworks.com/t5/general-articles/policy-based-forwarding-symmetric-return-overview/tac-p/596602#M746 FrancisMatutes 2024-09-03T10:41:35Z Re: Policy-Based Forwarding Symmetric Return Overview https://live.paloaltonetworks.com/t5/general-articles/policy-based-forwarding-symmetric-return-overview/tac-p/1238582#M833 <P>PPPoE 回線に PBR の 'symmetric return' を指定する場合、next-hop アドレスを指定できません。<BR />対向機器は ISP のルーター 1台でも return-mac table の溢れに注意する必要がありますか?</P> Tue, 23 Sep 2025 15:48:59 GMT https://live.paloaltonetworks.com/t5/general-articles/policy-based-forwarding-symmetric-return-overview/tac-p/1238582#M833 FFEEC73E3F24854683C8C9 2025-09-23T15:48:59Z