- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-08-2021 02:43 AM
Dear community!
I´d like to consult with you for a possible solution for this scenario:
We have 2 internet lines from two interfaces of the PAN firewall connected to two different routers. Each interface is in a different zone.
When incoming and returning packets follow different paths then we have an asymmetric routing condition. Situation similar to this one:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK
We configured the firewall to bypass the non-SYN-TCP check but we still have packets dropped with counter "Packets dropped: forwarded to different zone"
Having both external interfaces in the same zone fixes the issue but we´d like to have them in different zones.
A possible workaround could be using a PBF as in this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK
But this is also not an option because the return mac entries supported is not big enough for all the incoming sessions, meaning the firewall will drop new sessions when table is full.
+ Is there a workaround to bypass the "Packets dropped: forwarded to different zone" counter and allow the firewall to forward s2c traffic to a different zone?
Thank you!
11-09-2021 05:31 AM - edited 11-09-2021 06:19 AM
Hi @Carracido ,
I saw the same behavior with an A/A HA-setup. Are you in the same setup ?
If so, have you considered changing the session setup options ?
For more info please check:
Hope this helps,
-Kiwi.
11-09-2021 06:30 PM
Hi @kiwi,
Thank you for the answer.
No we don´t have A/A HA-setup so that wouln´t be a solution for our scenario.
Cheers!
11-10-2021 04:59 AM
Hi @Carracido ,
You mentioned you have disabled the non-SYN TCP check, but did you set "assimetric path" to bypass?
Have you allowed assymetric path globally or per zone with zone protection profile?
I haven't faced a situation like this and I am working that is the actuall purpose of keeping the two ISP connection in different zones?
11-16-2021 01:18 AM
We tried allowing assymetric path both globally and per zone, still the same issue.
The purpose of keeping in different zones the two ISP connections is for having more granularity in the security policies.
Kind Regards.
11-16-2021 01:47 AM
Hi @Carracido ,
What are you gaining from this granularity? Does the benefits you will gain deserve adding such complexity?
Don't get wrong - as I said I haven't work with such setup and I am insteresed in the motives and are there any other acceptable solutions.
I was hoping for the asymetric pass to do the trick...It is very unlickly, but are you applying any IP spoofing protection with the zone-protection profile?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!