topic Re: Palo alto routing query in General Topics https://live.paloaltonetworks.com/t5/general-topics/palo-alto-routing-query/m-p/385938#M90183 <P>why do you want to have the palo connected like this? there is no added value to having the additional hop if traffic is not going to return symmetrically (no offence, but this is just bad design)</P><P>&nbsp;</P><P>ideally you would connect cisco-switch-vlan-1 to a different interface of the palo (you could even set it in layer2 mode so you don't need to worry about the subnet broadcast domain) and be able to see packet flow in both directions</P><P>&nbsp;</P><P>less ideally just force traffic from the switch to the firewall so it is able to form sessions and inspect traffic</P><P>&nbsp;</P><P>even less ideally set up u-turn NAT so packets bounced off of the palo like this are source NATed to the firewall IP so returning packets come back to it's interface</P><P>&nbsp;</P><P>anything but the bermuda triangle of tcp inspection©</P> Mon, 15 Feb 2021 12:43:44 GMT reaper 2021-02-15T12:43:44Z Palo alto routing query https://live.paloaltonetworks.com/t5/general-topics/palo-alto-routing-query/m-p/385850#M90172 Wed, 24 Mar 2021 01:31:14 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-routing-query/m-p/385850#M90172 Jatin.Singh 2021-03-24T01:31:14Z Re: Palo alto routing query https://live.paloaltonetworks.com/t5/general-topics/palo-alto-routing-query/m-p/385938#M90183 <P>why do you want to have the palo connected like this? there is no added value to having the additional hop if traffic is not going to return symmetrically (no offence, but this is just bad design)</P><P>&nbsp;</P><P>ideally you would connect cisco-switch-vlan-1 to a different interface of the palo (you could even set it in layer2 mode so you don't need to worry about the subnet broadcast domain) and be able to see packet flow in both directions</P><P>&nbsp;</P><P>less ideally just force traffic from the switch to the firewall so it is able to form sessions and inspect traffic</P><P>&nbsp;</P><P>even less ideally set up u-turn NAT so packets bounced off of the palo like this are source NATed to the firewall IP so returning packets come back to it's interface</P><P>&nbsp;</P><P>anything but the bermuda triangle of tcp inspection©</P> Mon, 15 Feb 2021 12:43:44 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-routing-query/m-p/385938#M90183 reaper 2021-02-15T12:43:44Z