topic Re: Asymmetric routing with the same interface in General Topics

Asymmetric routing with the same interface

Sahaswetch — Wed, 05 Sep 2018 14:54:06 GMT

I have to deploy the WAN firewall which have 2 WAN link. The requirement was egress traffic from the firewall to WAN will be send to Link A but the response traffic will be ingress from the Link B.

If I've set both of these interface in the same zone, untrust zone, does the firewall will be dropped because of asymmetric routing?? Or firewall wiil inspect traffic as usual becuase it return in the same zone, different interface but same zone??

Re: Asymmetric routing with the same interface

BPry — Wed, 05 Sep 2018 18:38:39 GMT

@Sahaswetch,

Thats ..... a very odd way of doing things. Sessions are aware of the ingress and egress interface and session match expects this to always be true. I wouldn't expect the firewall to drop the traffic, but it would create a new session for all return traffic as it no longer matches the established session. Your security policies would then need to account for this.

I'm honestly more wondering how your service provider is handling this; they would run into the same issues as you are going to be presented and it just seems like a really odd way to configure things.

Re: Asymmetric routing with the same interface

reaper — Thu, 06 Sep 2018 08:45:59 GMT

the zones are more important than the interface from a session perspective, so you shouldn't see issues of multiple sessions or dropped packets

I do wonder if your ISP doesn't have a nicer means to solve this than to present you with this challenge 😉

Is there no way for them to aggregate the lines onto a single device so at least from your perspective you're communicating with just one host ?