topic When should I use "enforce symmetric return" in the PBF rules? in General Topics

When should I use "enforce symmetric return" in the PBF rules?

Maxstr — Fri, 23 Jun 2017 14:48:29 GMT

What is the purpose of this setting? Doesn't all traffic go out the same route as it came in, anyway?

Re: When should I use "enforce symmetric return" in the PBF rules?

BPry — Fri, 23 Jun 2017 14:58:06 GMT

The only use case that I can think of off hand is asymetrical routing, this would ensure that your PBF rule actually gets the return traffic.

* Gives a nice breakdown of why you would actually use it.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Symmetric-Return/ta-p/59374

Re: When should I use "enforce symmetric return" in the PBF rules?

Maxstr — Fri, 23 Jun 2017 15:24:17 GMT

That article mentions dual ISP's, and I do have dual ISP with PBF rules for failover. So traffic that comes in one ISP goes out the same ISP.

So by enabling this option, I can have traffic coming in one IP, and out a different IP? Like in ISP1 and out ISP2? That sounds exactly the opposite of enforcing symmetric return.

Re: When should I use "enforce symmetric return" in the PBF rules?

acc6d0b3610eec313831f7900fdbd235 — Fri, 23 Jun 2017 18:02:34 GMT

Hi @Maxstr

@BPry is right. The only case where you would need to use Symmetric Return is to ensure that the traffic returns through the same path where it originally came in. Regardless of having dual ISP you still can use this feature as all you want to achieve is to make sure the traffic is kept in a symmetrical fashion.

Although the article below mentions two ISPs, the only reason the author mentions that is because he want to show that redundancy is possible by configuring duplicated security and NAT policies, but notice that he only needed to configure one set of PBF policies to achieve what he wants which is to keep the traffic symmetrical.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Symmetric-Return/ta-p/59374

Now responding your question:

Doesn't all traffic go out the same route as it came in, anyway? The answer here is depend. And the reason I say that is because it depends on what the backend server default gateway is. Imagine that the traffic coming in is going to a server, which the default gateway is not the firewall, but a router. It means that the response out to the client will source from a different IP, which will incur ina broken (Rejected) connection.

The below link is for an F5 Networks article that explains this scenario, and it tells you exactly what the behavior of an asymmetrical routing issue would be especially when dealing with NAT or in our case here PBF.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html

I hope this helps.

Re: When should I use "enforce symmetric return" in the PBF rules?

Maxstr — Fri, 23 Jun 2017 18:56:09 GMT

Thanks for the reply. The one thing that still confuses me is that when you enable Enforce Symmetric on the PBF rule, it opens up the box below it titled "Next hop address list" on the bottom.

If it were enforcing the same return path, why would you need to provide additional next-hop IP's?

Re: When should I use "enforce symmetric return" in the PBF rules?

BPry — Fri, 23 Jun 2017 20:36:47 GMT

@Maxstr,

There's a part in the above article that mentions all of that but,

'Configure Next Host IP address if Destination Network is not directly connected'

You have to remember that a PBF with symmetric return is essentially a routing policy that is simply processed pre-routing table. So you have to essentially provide all available routing options for people that actually need them to be present.

Re: When should I use "enforce symmetric return" in the PBF rules?

CLIq — Tue, 15 Dec 2020 09:56:11 GMT

sorry for digging out this years old threat but I have been trying to find some more detailled information on this but it seems some in depth insight of how this works is difficult to find...

Of course shortly after posting this I found the technical answer:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/policy-based-forwarding/pbf/egress-path-and-symmetric-return.html

So for anyone who is/was wondering how its actually done, its explained there... answered all my open questions 🙂

Re: When should I use "enforce symmetric return" in the PBF rules?

Darin-May — Fri, 14 Mar 2025 16:38:57 GMT

Both those article links are now dead. I'm trying to hunt them down by topic...