04-09-2025 04:11 AM
Hi,
I saw a function named ecmp on palo alto NGFW, I think that it can make outbound traffic load balance on two or more physics line or logic line. And I also saw there was a inbound interface information in the session table of firewall.
So I want to know if there are two out line on the firewall and connect to outside network named port1 and port2. Maybe they are all in the untrust zone, and then we open the ecmp function on virtual router of firewall, of course we have two ecmp routes with the same metric. At that time if there is a traffic transmit from inside network to outside, the syn packet transmit by port1, but the syn+ack answer packet received by port2, will there have a problem caused by outcome port is different to income port? Will the syn+ack packet forward or discard? Will our session table check the information about income or outcome port? I need your help, Thanks! By the way, I only know a little English, So if you can’t understand what I mean, please leave a comment, I’ll explain more about this question, Thank you!
04-10-2025 03:45 AM
if you have all your ECMP interfaces set in the same zone (e.g. Untrust) the firewall will accept returning packets on the 'wrong' (not egress) interface
04-09-2025 09:02 AM
Hello,
Hope this can answer your questions.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH0CAK
The traffic should return the same port it was sent out from.
Regards,
04-09-2025 09:17 AM
hi,
Thanks for your answer, but I think if we use ECMP, we can't control which port that the return packet( for example like a syn+ack packet) select, if the route let the packet select a different port with the port which transmit the syn packet, will the firewall discard the syn+ack packet caused of session table mismarch or another reason?
Best Wishes
04-10-2025 03:45 AM
if you have all your ECMP interfaces set in the same zone (e.g. Untrust) the firewall will accept returning packets on the 'wrong' (not egress) interface
04-10-2025 11:39 AM
Hello,
What @reaper said. Here is an article that goes over what I think you are wanting to deploy.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK
Regards,
04-10-2025 07:01 PM
Yeah! Thank you for your answer, I knew this concept now, and I also make a experimentation about this question. The conclusion is same with your answer. By the way, if I user the vlan interface replace physical L3 interface, and two ecmp vlan interface are in the same security zone but user different vlan tag, will the conclusion same? I mean will the firewall accept returning packets that has a different vlan tag with the request packets?
04-10-2025 08:58 PM
Hi,
Thank you for your help, I try the part for this document(use ecmp between two different zones) but with out the source nat config, it doesn't work. maybe we should use nat in this context.
Best Wishes
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
