I have a scenario where I will be having two ISP's (ISP-A and ISP-B) connected to the PA Firewalls via eth1/1 and eth1/2 interfaces. Both these Interfaces will be in the same untrust-zone. ISP-A will be the primary one and ISP-B the backup with some prepends and local preference for incoming and outgoing traffic.
However, ISP-B has confirmed that there will be cases where some external users using ISP-B will always prefer to come to Firewalls via ISP-B.This will cause an asymmetric routing where some of the incoming traffic is via ISP-B and outgoing is via ISP-A.
Since both Interfaces are in the same-zone some users have confirmed that session will match and traffic won't drop and Palo can handle the return traffic.
Has anyone configured similar setup successfully? Are there any gotchas with this kind of setup? If anyone can guide me to a formal Palo Guide would be vaulable too.
The PAN-OS implementation, the firewall identifies the flow using 6 tuple key:
>Src & Dst IP address
>Src & Dst ports
So, As long as both the ISP interface are in same zone and the security policies are configured on the basis of security zone only then you would be good.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!