This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Asymmetric routing with the same interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Asymmetric routing with the same interface

Sahaswetch
L0 Member

‎09-05-2018 07:54 AM

I have to deploy the WAN firewall which have 2 WAN link. The requirement was egress traffic from the firewall to WAN will be send to Link A but the response traffic will be ingress from the Link B. 

If I've set both of these interface in the same zone, untrust zone, does the firewall will be dropped because of asymmetric routing?? Or firewall wiil inspect traffic as usual becuase it return in the same zone, different interface but same zone?? 

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎09-05-2018 11:38 AM

@Sahaswetch,

Thats ..... a very odd way of doing things. Sessions are aware of the ingress and egress interface and session match expects this to always be true. I wouldn't expect the firewall to drop the traffic, but it would create a new session for all return traffic as it no longer matches the established session. Your security policies would then need to account for this. 

I'm honestly more wondering how your service provider is handling this; they would run into the same issues as you are going to be presented and it just seems like a really odd way to configure things. 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to BPry

‎09-06-2018 01:45 AM

the zones are more important than the interface from a session perspective, so you shouldn't see issues of multiple sessions or dropped packets

 

I do wonder if your ISP doesn't have a nicer means to solve this than to present you with this challenge 😉

Is there no way for them to aggregate the lines onto a single device so at least from your perspective you're communicating with just one host ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 2672 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks