This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Asymmetric Routing and TCP syn check based on interface or zone?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Asymmetric Routing and TCP syn check based on interface or zone?

Go to solution
ghostrider
L4 Transporter

‎10-14-2016 05:33 AM

Hello 

 

I have scenario like firewall is connected to two routers R1 and R2 through eth1/1 and eth1/2 interfaces respectively. From firewall, traffic is going through R1 via eth1/1 interface and return traffic is coming through R2 via eth1/2.

 

This is asymmetric routing and firewall tcp syn check will fail. My question is that Palo Alto firewall check tcp syn and asymmtric routing based on interface or zone? I mean if both eth1/1 and eth1/2 have same zone then this will not fail tcp syn checking?

 

Regards,

 

GR

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
pulukas
L7 Applicator

‎10-16-2016 02:40 PM

PA session match is based on zone not on interface.  So you are correct that if you put both interfaces into the same zone you can still achieve session match and not drop the traffic.

 

You can see the details of the packet inspection process in this document.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

4 REPLIES 4

Go to solution
licenselu
L4 Transporter

‎10-14-2016 07:05 AM

Hi,

 

In the ZONE Protection profile (TCP Drop), select Bypass for Asymmetric Path.

https://live.paloaltonetworks.com/t5/Management-Articles/Packets-are-Dropped-Due-to-TCP-Reassembly/t...

 

Regards,

 

HA

0 Likes Likes

Go to solution
ghostrider
L4 Transporter
In response to licenselu

‎10-16-2016 04:53 AM

Hi

 

Thanks for the reply. Just want to know if I put both outoing interfaces interfaces in same zone then firewall will not drop asymmetric traffic?

0 Likes Likes

Go to solution
pulukas
L7 Applicator

‎10-16-2016 02:40 PM

PA session match is based on zone not on interface.  So you are correct that if you put both interfaces into the same zone you can still achieve session match and not drop the traffic.

 

You can see the details of the packet inspection process in this document.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Go to solution
ghostrider
L4 Transporter
In response to pulukas

‎10-22-2016 07:21 AM

Thansk steve !

0 Likes Likes
  • 1 accepted solution
  • 10303 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks