06-29-2023 05:11 AM
So may be a 2-part question. First, we have 2 ISPs both equal bandwidth so I've setup ECMP using IP Modulo do i need to set up PBF, or is that if you don't have equal ISPs?
2nd and the real issue. One of my applications that is tided via public dns to my secondary isp can't be reached. I've set up NAT and Security policy to it (i think correctly) but when i monitor the traffic i never see it attempt to hit it. this is a new firewall so wondering if issue with route setup? any advice would be appreciated.
06-29-2023 05:46 AM - edited 06-29-2023 05:52 AM
ecmp can also be configured to assign a weight to each interface so the "bandwidth" is balanced the way you prefer it
not sure if the traffic you're describing is inbound or outbound?
on the inbound (from the internet to a service hosted internally) you can enable 'symmetric return' on the ECMP configuration to ensure packets flow back to the originating ISP
on the outbound you can create a PBF policy to force your outbound packets for your particular destination out of your preferred ISP interface
your NAT rules should be set to an egress interface so NAT is applied in corespondance to the ISP packets are egressing to
06-29-2023 05:53 AM
@branedge wrote:
First, we have 2 ISPs both equal bandwidth so I've setup ECMP using IP Modulo do i need to set up PBF, or is that if you don't have equal ISPs?
attempt to hit it. this is a new firewall so wondering if issue with route setup? any advice would be appreciated.
In your situation whether or not you use PBF would depend on a couple different factors. Your ECMP setup won't mandate the use of PBF by itself, however certain situations may have you wanting a subset of traffic to always exit from a given ISP. In short though, no unless you need it for something else you won't need to utilize PBF.
@branedge wrote:
One of my applications that is tided via public dns to my secondary isp can't be reached. I've set up NAT and Security policy to it (i think correctly) but when i monitor the traffic i never see it attempt to hit it. this is a new firewall so wondering if issue with route setup? any advice would be appreciated.
This second question is harder to answer without knowing what you've actually configured. First and foremost, have you enabled logging on the interzone-default policy or otherwise setup a logged "deny-all" policy at the end of your rulebase? Without this setup, you could be denying the traffic and the firewall won't log it by default.
Secondly are you using symmetric return on your ECMP configuration?
06-30-2023 04:49 AM
I have disabled my PBF rules for now.
The Interzone-default policy did not have logging on (had to override it) but i turned it on for "log at session start" only. Should this stay on?
I have Symmetric Return enabled in ECMP but not Strict Source Path
Basic Layout
...not real info...
public dns record
app1.publicdomain.com 168.x.x.x
app2.publicdomain.com 207.x.x.x
Internal NAT
app1.local.com 172.3.3.5
app2.local.com 172.3.3.10
onsite app1 and app2 work
offsite app1 works but not app2
i have 2 zones (zone168 and zone 207) - 2 physical connections
NAT policy
Security policy
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
