https://live.paloaltonetworks.com/t5/general-topics/pbf-smtp-for-both-isp1-isp2/m-p/155454#M51121 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/8908">@x</a>,</P><P>do you have a single Virtual Router with attached both ISPs?</P><P>&nbsp;</P><P>I suggest you to follow this article:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774</A></P><P>&nbsp;</P><P>You need to follow this article without the VPN parts.</P><P>I have already done the same configuration you described and it works fine.</P><P>&nbsp;</P><P>Let me know.</P><P>Jacopo</P> Mon, 08 May 2017 08:01:55 GMT Jacopo_Vigano 2017-05-08T08:01:55Z https://live.paloaltonetworks.com/t5/general-topics/pbf-smtp-for-both-isp1-isp2/m-p/155440#M51120 <P>I'm wondering if anyone has a similar setup and got it working. I'd like to have both SMTP services enabled on two ISPs for load-balancing and redundancy. I tried using PBF but couldn't get it working. It seems SMTP for ISP1 works fine but SMTP for ISP2 comes into the firewall but the application is incomplete. Which tells me the 3 way handshake is not completing. I took a pcap and didn't see any drops however. &nbsp;I followed the articles below as guidelines:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Symmetric-Return/ta-p/59374" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Symmetric-Return/ta-p/59374</A></P><P>&nbsp;</P><P>eth1/1.2 ISP1 1.1.1.1</P><P>eth 1/1.3 ISP2 2.2.2.2</P><P>Inside 10.1.1.1 - STMP server is 10.1.1.25</P><P>&nbsp;</P><P>Security allows SMTP traffic to both ISPs</P><P>NATs for both ISPs (inbound and outbound on SMTP service)</P><P>Default route is 2.2.2.2</P><P>PBF to force symmetric return if interface comes in from from eth1/1.3&nbsp;</P><P>PBF forces browsing to 1.1.1.1</P><P>&nbsp;</P><P>From what I can tell all the policies that I've defined are being hit and symmetric return is being acknowledged but the traffic is not going through. Traffic for ISP1 is identified as SMTP but for ISP2, it is incomplete.</P><P>&nbsp;</P><P>I've got a TAC opened but also wanted to check with our awesome community!&nbsp;</P><P>&nbsp;</P><P>Thanks folks!</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 07 May 2017 21:00:07 GMT https://live.paloaltonetworks.com/t5/general-topics/pbf-smtp-for-both-isp1-isp2/m-p/155440#M51120 x 2017-05-07T21:00:07Z https://live.paloaltonetworks.com/t5/general-topics/pbf-smtp-for-both-isp1-isp2/m-p/155454#M51121 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/8908">@x</a>,</P><P>do you have a single Virtual Router with attached both ISPs?</P><P>&nbsp;</P><P>I suggest you to follow this article:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774</A></P><P>&nbsp;</P><P>You need to follow this article without the VPN parts.</P><P>I have already done the same configuration you described and it works fine.</P><P>&nbsp;</P><P>Let me know.</P><P>Jacopo</P> Mon, 08 May 2017 08:01:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pbf-smtp-for-both-isp1-isp2/m-p/155454#M51121 Jacopo_Vigano 2017-05-08T08:01:55Z