https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/120556#M45941 <P>Thansk steve !</P> Sat, 22 Oct 2016 14:21:01 GMT ghostrider 2016-10-22T14:21:01Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119132#M45776 <P>Hello&nbsp;</P><P>&nbsp;</P><P>I have scenario like firewall is connected to two routers R1 and R2 through eth1/1 and eth1/2 interfaces respectively. From firewall, traffic is going through R1 via eth1/1 interface and return traffic is coming through R2 via eth1/2.</P><P>&nbsp;</P><P>This is asymmetric routing and firewall tcp syn check will fail. My question is that Palo Alto firewall check tcp syn and asymmtric routing based on interface or zone? I mean if both eth1/1 and eth1/2 have same zone then this will not fail tcp syn checking?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>GR</P> Fri, 14 Oct 2016 12:33:06 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119132#M45776 ghostrider 2016-10-14T12:33:06Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119141#M45781 <P>Hi,</P><P>&nbsp;</P><P>In the ZONE Protection profile (TCP Drop), select Bypass for Asymmetric Path.</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Packets-are-Dropped-Due-to-TCP-Reassembly/ta-p/57139" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Packets-are-Dropped-Due-to-TCP-Reassembly/ta-p/57139</A></P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>HA</P> Fri, 14 Oct 2016 14:05:43 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119141#M45781 licenselu 2016-10-14T14:05:43Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119395#M45792 <P>Hi</P><P>&nbsp;</P><P>Thanks for the reply. Just want to know if I put both outoing interfaces interfaces in same zone then firewall will not drop asymmetric traffic?</P> Sun, 16 Oct 2016 11:53:38 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119395#M45792 ghostrider 2016-10-16T11:53:38Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119412#M45793 <P>PA session match is based on zone not on interface. &nbsp;So you are correct that if you put both interfaces into the same zone you can still achieve session match and not drop the traffic.</P><P>&nbsp;</P><P>You can see the details of the packet inspection process in this document.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081</A></P> Sun, 16 Oct 2016 21:40:30 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/119412#M45793 pulukas 2016-10-16T21:40:30Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/120556#M45941 <P>Thansk steve !</P> Sat, 22 Oct 2016 14:21:01 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check-based-on-interface-or-zone/m-p/120556#M45941 ghostrider 2016-10-22T14:21:01Z