Global Protect Asymmetric routing issue

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Asymmetric routing issue

L1 Bithead

Hey team hope someone can help me. I am pretty new to Palo and I am trying to setup Global Protect PreLogon in our corporate environment. I have managed to get it all working in the lab (awesome) now doing that in the live environment is different ball game... 


Issue is that I am getting asymmetric routing, our default route goes out via another interface and to a legacy firewall, and I can see that the GP's wan interface is sending traffic using the default route. Not sure how I can force traffic received from GP's WAN interface. Below is my setup 

IP's are different to live these are just sample IPs 

WAN 1 - IP (has sub IPs as well, 1 of which is used for GP wan

WAN 2 - IP (this goes to our legacy watchguard firwall) also default route is set to this next hop is


The Portal and Gateway uses Loopback address 

Both WAN and Loopback are in the Internet Zone 

Tunnel is Global Protect Zone 

Destianation NAT any source zone , Internet destination Zone , to Destination Address, Service (Port6000) Destination Translation address port 443 

Security Policy 

Inbound - any source to Internet Zone Detination with address and Global Protect applications Allow 

Outbound - Global Protect Zone any address to Corporate LAN, Internet default application allow 


Both loopback and tunnel has been added to the default router 


Now how do I say any traffic from going outbound goes via and NOT via default route ? 


I tried setting up a policy based forwarding but there doesn't seem to be any traffic that is going to it.

the Policy is 

From interface WAN1 Address and , negate the internal LANs , forward traffic to WAN1 Interface 






Cyber Elite
Cyber Elite


Have you setup an internal gateway for globalprotect? That way it doesnt have to go 'outside' to connect?


Couple links that may help:



L4 Transporter



To achieve what you want. You will need to create policy based forwarding for outgoing traffic and enable “symmetric Routing”. The back traffic the will be recognized automatically.

Hey Abdul, 


I have already setup a policy based forwarding or tried to which goes something like 


Source Internet Zone with IP (WAN Subnet IP) , Negate Destination (Local subnets) forward to next hop of WAN 1 


but no traffic seem to be using that policy 

Did you find an answer to this problem? I'm having the same issue, created PBF rules but the traffic does not seem to hit it.

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!