Global Protect Asymmetric routing issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Asymmetric routing issue

L1 Bithead

Hey team hope someone can help me. I am pretty new to Palo and I am trying to setup Global Protect PreLogon in our corporate environment. I have managed to get it all working in the lab (awesome) now doing that in the live environment is different ball game... 

 

Issue is that I am getting asymmetric routing, our default route goes out via another interface and to a legacy firewall, and I can see that the GP's wan interface is sending traffic using the default route. Not sure how I can force traffic received from GP's WAN interface. Below is my setup 

IP's are different to live these are just sample IPs 

WAN 1 - IP 192.168.50.1/30 (has sub IPs as well, 1 of which is used for GP wan 192.168.10.1)

WAN 2 - IP 192.168.100.1/30 (this goes to our legacy watchguard firwall) also default route is set to this next hop is 192.168.100.2/30

 

The Portal and Gateway uses Loopback address  10.10.10.253 

Both WAN and Loopback are in the Internet Zone 

Tunnel is Global Protect Zone 

Destianation NAT any source zone , Internet destination Zone , to 192.168.10.1 Destination Address, Service (Port6000) Destination Translation address 10.10.10.253 port 443 

Security Policy 

Inbound - any source to Internet Zone Detination with address 10.10.10.253 and 192.168.10.1 Global Protect applications Allow 

Outbound - Global Protect Zone any address to Corporate LAN, Internet default application allow 

 

Both loopback and tunnel has been added to the default router 

 

Now how do I say any traffic from 192.168.10.1 going outbound goes via 192.168.50.1 and NOT via default route ? 

 

I tried setting up a policy based forwarding but there doesn't seem to be any traffic that is going to it.

the Policy is 

From interface WAN1 Address 192.168.50.1 and 10.10.10.253 , negate the internal LANs , forward traffic to WAN1 Interface 192.168.100.2. 

 

 

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

Have you setup an internal gateway for globalprotect? That way it doesnt have to go 'outside' to connect?

 

Couple links that may help:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfXCAS

 

Regards,

L4 Transporter

Hi,

 

To achieve what you want. You will need to create policy based forwarding for outgoing traffic and enable “symmetric Routing”. The back traffic the will be recognized automatically.

Hey Abdul, 

 

I have already setup a policy based forwarding or tried to which goes something like 

 

Source Internet Zone with IP (WAN Subnet IP) , Negate Destination (Local subnets) forward to next hop of WAN 1 

 

but no traffic seem to be using that policy 

Did you find an answer to this problem? I'm having the same issue, created PBF rules but the traffic does not seem to hit it.

  • 2892 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!