https://live.paloaltonetworks.com/t5/next-generation-firewall/ingress-egress-interfaces-part-of-firewall-session/m-p/598896#M3810 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/925386599">@H.Tendrup</a> ,</P> <P>&nbsp;</P> <P>As you mentioned, the interface is NOT part of the 6-tuple key that identifies a session.&nbsp; If the traffic comes in a different interface but the same zone, it will NOT be dropped.</P> <P>&nbsp;</P> <P>You mentioned the hypothetical zone "outside".&nbsp; If you are considering dual-ISPs, then the traffic out one interface will be NATed to the IP address on that interface <EM>which would dictate the return traffic coming back in the same interface</EM>.</P> <P>&nbsp;</P> <P>If the 2 interfaces are L3, you will want to enable ECMP.&nbsp; For a dual-ISP scenario, you would want to enable symmetric return for VPN traffic.&nbsp; Interfaces are tracked for symmetric return, but they don't define the session.&nbsp; The doc you posted refers to PBF.&nbsp; Using routing for ECMP is more straightforward.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 26 Sep 2024 18:57:30 GMT TomYoung 2024-09-26T18:57:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ingress-egress-interfaces-part-of-firewall-session/m-p/598883#M3808 <P>Hello,</P> <P>I'd like to configure a NGFW with dual routed interfaces on some zone, call it "outside." If some host on the inside zone initiates&nbsp; traffic to the outside zone, traffic will egress through one or the other outside interfaces, if the return traffic ingresses via the other interface, will the FW drop that traffic?&nbsp; In other words, are the ingress and egress interfaces tracked as part of the FW session and must be symmetric or just the zones? In this packet flow doc, interfaces are not mentioned as part of the 6-tuple that comprises a flow (zones are).</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0" target="_blank">Packet Flow Sequence in PAN-OS - Knowledge Base - Palo Alto Networks</A></P> <P>&nbsp;</P> <P>It would actually seem a little weird (to me) that interfaces are NOT tracked, but ¯\_(ツ)_/¯</P> <P>(this doc indicates that interfaces actually ARE tracked:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-based-forwarding/pbf/egress-path-and-symmetric-return" target="_blank">Egress Path and Symmetric Return (paloaltonetworks.com)</A>, but it discusses traffic initiated from the outside and using a feature to handle returning that traffic symmetrically - this doesn't help me. Also the flow doc should be updated, if that's true)</P> <P>&nbsp;</P> <P>Is there a nerd-knob that disables specific interface tracking?</P> <P>I have other options, but 2 basic ospf links is the most straight forward.</P> <P>&nbsp;</P> <P>Thank you for considering!</P> Thu, 26 Sep 2024 17:23:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ingress-egress-interfaces-part-of-firewall-session/m-p/598883#M3808 H.Tendrup 2024-09-26T17:23:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ingress-egress-interfaces-part-of-firewall-session/m-p/598891#M3809 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/925386599">@H.Tendrup</a>&nbsp;</P> <P>The asymmetric path monitoring feature can be configured in two ways:</P> <OL> <LI><STRONG>Global configuration:</STRONG><SPAN>&nbsp;</SPAN>This applies the monitoring to all zones on the device.</LI> <LI><STRONG>Zone protection:</STRONG><SPAN>&nbsp;</SPAN>This allows you to configure monitoring for individual zones.</LI> </OL> <P>For more information on configuring asymmetric path monitoring, please refer to the following document:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK</A></P> Thu, 26 Sep 2024 18:14:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ingress-egress-interfaces-part-of-firewall-session/m-p/598891#M3809 jpomachagua 2024-09-26T18:14:53Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ingress-egress-interfaces-part-of-firewall-session/m-p/598896#M3810 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/925386599">@H.Tendrup</a> ,</P> <P>&nbsp;</P> <P>As you mentioned, the interface is NOT part of the 6-tuple key that identifies a session.&nbsp; If the traffic comes in a different interface but the same zone, it will NOT be dropped.</P> <P>&nbsp;</P> <P>You mentioned the hypothetical zone "outside".&nbsp; If you are considering dual-ISPs, then the traffic out one interface will be NATed to the IP address on that interface <EM>which would dictate the return traffic coming back in the same interface</EM>.</P> <P>&nbsp;</P> <P>If the 2 interfaces are L3, you will want to enable ECMP.&nbsp; For a dual-ISP scenario, you would want to enable symmetric return for VPN traffic.&nbsp; Interfaces are tracked for symmetric return, but they don't define the session.&nbsp; The doc you posted refers to PBF.&nbsp; Using routing for ECMP is more straightforward.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 26 Sep 2024 18:57:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ingress-egress-interfaces-part-of-firewall-session/m-p/598896#M3810 TomYoung 2024-09-26T18:57:30Z