topic Global Protect Asymmetric routing issue in General Topics

Global Protect Asymmetric routing issue

Shadmin — Wed, 07 Oct 2020 10:57:22 GMT

Hey team hope someone can help me. I am pretty new to Palo and I am trying to setup Global Protect PreLogon in our corporate environment. I have managed to get it all working in the lab (awesome) now doing that in the live environment is different ball game...

Issue is that I am getting asymmetric routing, our default route goes out via another interface and to a legacy firewall, and I can see that the GP's wan interface is sending traffic using the default route. Not sure how I can force traffic received from GP's WAN interface. Below is my setup

IP's are different to live these are just sample IPs

WAN 1 - IP 192.168.50.1/30 (has sub IPs as well, 1 of which is used for GP wan 192.168.10.1)

WAN 2 - IP 192.168.100.1/30 (this goes to our legacy watchguard firwall) also default route is set to this next hop is 192.168.100.2/30

The Portal and Gateway uses Loopback address 10.10.10.253

Both WAN and Loopback are in the Internet Zone

Tunnel is Global Protect Zone

Destianation NAT any source zone , Internet destination Zone , to 192.168.10.1 Destination Address, Service (Port6000) Destination Translation address 10.10.10.253 port 443

Security Policy

Inbound - any source to Internet Zone Detination with address 10.10.10.253 and 192.168.10.1 Global Protect applications Allow

Outbound - Global Protect Zone any address to Corporate LAN, Internet default application allow

Both loopback and tunnel has been added to the default router

Now how do I say any traffic from 192.168.10.1 going outbound goes via 192.168.50.1 and NOT via default route ?

I tried setting up a policy based forwarding but there doesn't seem to be any traffic that is going to it.

the Policy is

From interface WAN1 Address 192.168.50.1 and 10.10.10.253 , negate the internal LANs , forward traffic to WAN1 Interface 192.168.100.2.

Re: Global Protect Asymmetric routing issue

OtakarKlier — Wed, 07 Oct 2020 19:32:10 GMT

Hello,

Have you setup an internal gateway for globalprotect? That way it doesnt have to go 'outside' to connect?

Couple links that may help:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfXCAS

Regards,

Re: Global Protect Asymmetric routing issue

Abdul-Fattah — Wed, 07 Oct 2020 19:57:58 GMT

Hi,

To achieve what you want. You will need to create policy based forwarding for outgoing traffic and enable “symmetric Routing”. The back traffic the will be recognized automatically.

Re: Global Protect Asymmetric routing issue

Shadmin — Fri, 09 Oct 2020 12:23:28 GMT

Hey Abdul,

I have already setup a policy based forwarding or tried to which goes something like

Source Internet Zone with IP (WAN Subnet IP) , Negate Destination (Local subnets) forward to next hop of WAN 1

but no traffic seem to be using that policy

Re: Global Protect Asymmetric routing issue

Nick.Chenault — Tue, 06 Feb 2024 16:18:48 GMT

Did you find an answer to this problem? I'm having the same issue, created PBF rules but the traffic does not seem to hit it.