https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26133#M19084 <HTML><HEAD></HEAD><BODY><P>This link contains helpful information to address the issue. <A href="https://live.paloaltonetworks.com/docs/DOC-1260">https://live.paloaltonetworks.com/docs/DOC-1260</A></P><P></P><P>Disabling tcp-reject-non-syn solves the assymetric routing problem. However, I am not sure about the security implications it could have.</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 22 Feb 2011 08:02:21 GMT ajripa 2011-02-22T08:02:21Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26131#M19082 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P>I have an issue I faced before with OpenBSD's PF Firewall but I am not able to solve with PAN.</P><P></P><P>My topology is:</P><P></P><P>INET ----- PAN ---- DMZ ---- Balancer ---- Balanced Servers</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LAN</P><P>The domain controllers for the DMZ domain are located in DMZ and their default gateway is PAN. The route to reach the balanced servers network is configured in PAN and I can reach the balanced servers network either from LAN and from DMZ. However, although I can ping from the domain controllers in the DMZ to the balanced servers and viceversa, I am facing some validations issues. These issues dissapear when I configure a static route on the domain controllers to reach the balanced servers directly through the balancer. I know it's weird to go through PAN to reach balanced servers from DMZ, but I don't like adding static routes to servers.</P><P></P><P>I could solve the problem with PF modifiying the stateful behaviour.</P><P></P><P>Any idea?</P></BODY></HTML> Mon, 21 Feb 2011 12:46:09 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26131#M19082 ajripa 2011-02-21T12:46:09Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26132#M19083 <HTML><HEAD></HEAD><BODY><P>It looks like the Palo Alto firewall is only seeing half of the flows from the DMZ servers to the Balanced Servers.&nbsp; The initial packet from the DMZ server goes to the firewall, which then sends it through the Balancer.&nbsp; When the Balanced Servers send the response back to the Balancer, they see the destination as a connected network, so instead of sending the traffic back to the firewall, it gets sent directly to the DMZ server.</P><P></P><P>This is a type of asymmetric route.&nbsp; You can either put static routes on your servers, as you have done, or you can put more specific routes to those servers on the Balancer with a next hop of the firewall.&nbsp; Another option would be to put another pair of firewall ports (L3 or Vwire) in front of the Balancer so you can fully inspect the traffic between the DMZ servers and the Balanced Servers.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Mon, 21 Feb 2011 22:10:22 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26132#M19083 kbrazil 2011-02-21T22:10:22Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26133#M19084 <HTML><HEAD></HEAD><BODY><P>This link contains helpful information to address the issue. <A href="https://live.paloaltonetworks.com/docs/DOC-1260">https://live.paloaltonetworks.com/docs/DOC-1260</A></P><P></P><P>Disabling tcp-reject-non-syn solves the assymetric routing problem. However, I am not sure about the security implications it could have.</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 22 Feb 2011 08:02:21 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26133#M19084 ajripa 2011-02-22T08:02:21Z https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26134#M19085 <HTML><HEAD></HEAD><BODY><P>Answered.</P></BODY></HTML> Tue, 01 Mar 2011 09:50:06 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-issue/m-p/26134#M19085 ajripa 2011-03-01T09:50:06Z