I have to deploy the WAN firewall which have 2 WAN link. The requirement was egress traffic from the firewall to WAN will be send to Link A but the response traffic will be ingress from the Link B.
If I've set both of these interface in the same zone, untrust zone, does the firewall will be dropped because of asymmetric routing?? Or firewall wiil inspect traffic as usual becuase it return in the same zone, different interface but same zone??
Thats ..... a very odd way of doing things. Sessions are aware of the ingress and egress interface and session match expects this to always be true. I wouldn't expect the firewall to drop the traffic, but it would create a new session for all return traffic as it no longer matches the established session. Your security policies would then need to account for this.
I'm honestly more wondering how your service provider is handling this; they would run into the same issues as you are going to be presented and it just seems like a really odd way to configure things.
the zones are more important than the interface from a session perspective, so you shouldn't see issues of multiple sessions or dropped packets
I do wonder if your ISP doesn't have a nicer means to solve this than to present you with this challenge ;)
Is there no way for them to aggregate the lines onto a single device so at least from your perspective you're communicating with just one host ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!