https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check/m-p/287170#M76681 <P>Hello All,</P><P>&nbsp;</P><P>I have a scenario where I will be having two ISP's (ISP-A and ISP-B) connected to the PA Firewalls via eth1/1 and eth1/2 interfaces.&nbsp;Both these Interfaces will be in the same untrust-zone. ISP-A will be the primary one and ISP-B the backup&nbsp;with some prepends and local preference for incoming and outgoing traffic.</P><P><BR />However, ISP-B has confirmed that there will be cases where some external users using ISP-B will always prefer to come to Firewalls via ISP-B.This will cause an asymmetric routing where some of the incoming traffic is via ISP-B and outgoing is via ISP-A.</P><P>&nbsp;</P><P>Since both Interfaces are in the same-zone some users have confirmed that session will match and traffic won't drop and Palo can handle the return traffic.<BR />Has anyone configured similar setup successfully? Are there any gotchas with this kind of setup? If anyone can guide me to a formal Palo Guide would be vaulable too.</P><P>&nbsp;</P><P>Thanks<BR />AS</P> Sat, 07 Sep 2019 03:45:24 GMT Anjush 2019-09-07T03:45:24Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check/m-p/287170#M76681 <P>Hello All,</P><P>&nbsp;</P><P>I have a scenario where I will be having two ISP's (ISP-A and ISP-B) connected to the PA Firewalls via eth1/1 and eth1/2 interfaces.&nbsp;Both these Interfaces will be in the same untrust-zone. ISP-A will be the primary one and ISP-B the backup&nbsp;with some prepends and local preference for incoming and outgoing traffic.</P><P><BR />However, ISP-B has confirmed that there will be cases where some external users using ISP-B will always prefer to come to Firewalls via ISP-B.This will cause an asymmetric routing where some of the incoming traffic is via ISP-B and outgoing is via ISP-A.</P><P>&nbsp;</P><P>Since both Interfaces are in the same-zone some users have confirmed that session will match and traffic won't drop and Palo can handle the return traffic.<BR />Has anyone configured similar setup successfully? Are there any gotchas with this kind of setup? If anyone can guide me to a formal Palo Guide would be vaulable too.</P><P>&nbsp;</P><P>Thanks<BR />AS</P> Sat, 07 Sep 2019 03:45:24 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check/m-p/287170#M76681 Anjush 2019-09-07T03:45:24Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check/m-p/287198#M76687 <P>Hi Anjush,</P><P>&nbsp;</P><P>The PAN-OS implementation, the firewall identifies the flow using 6 tuple key:</P><P>&gt;Src &amp; Dst IP address</P><P>&gt;Src &amp; Dst ports</P><P>&gt;Protocol</P><P>&gt;Security Zone</P><P>&nbsp;</P><P>So, As long as both the ISP interface are in same zone and the security policies are configured on the basis of security zone only then you would be good.</P><P>&nbsp;</P> Sat, 07 Sep 2019 20:36:34 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check/m-p/287198#M76687 JAIDEEP 2019-09-07T20:36:34Z https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check/m-p/287207#M76690 <P>FYI:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0xCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0xCAC</A></P> Sat, 07 Sep 2019 21:22:52 GMT https://live.paloaltonetworks.com/t5/general-topics/asymmetric-routing-and-tcp-syn-check/m-p/287207#M76690 myky 2019-09-07T21:22:52Z