Global Protect Asymmetric routing issue

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Global Protect Asymmetric routing issue

Hey team hope someone can help me. I am pretty new to Palo and I am trying to setup Global Protect PreLogon in our corporate environment. I have managed to get it all working in the lab (awesome) now doing that in the live environment is different ball game... 

 

Issue is that I am getting asymmetric routing, our default route goes out via another interface and to a legacy firewall, and I can see that the GP's wan interface is sending traffic using the default route. Not sure how I can force traffic received from GP's WAN interface. Below is my setup 

IP's are different to live these are just sample IPs 

WAN 1 - IP 192.168.50.1/30 (has sub IPs as well, 1 of which is used for GP wan 192.168.10.1)

WAN 2 - IP 192.168.100.1/30 (this goes to our legacy watchguard firwall) also default route is set to this next hop is 192.168.100.2/30

 

The Portal and Gateway uses Loopback address  10.10.10.253 

Both WAN and Loopback are in the Internet Zone 

Tunnel is Global Protect Zone 

Destianation NAT any source zone , Internet destination Zone , to 192.168.10.1 Destination Address, Service (Port6000) Destination Translation address 10.10.10.253 port 443 

Security Policy 

Inbound - any source to Internet Zone Detination with address 10.10.10.253 and 192.168.10.1 Global Protect applications Allow 

Outbound - Global Protect Zone any address to Corporate LAN, Internet default application allow 

 

Both loopback and tunnel has been added to the default router 

 

Now how do I say any traffic from 192.168.10.1 going outbound goes via 192.168.50.1 and NOT via default route ? 

 

I tried setting up a policy based forwarding but there doesn't seem to be any traffic that is going to it.

the Policy is 

From interface WAN1 Address 192.168.50.1 and 10.10.10.253 , negate the internal LANs , forward traffic to WAN1 Interface 192.168.100.2. 

 

 

 

 

Highlighted
Cyber Elite

Hello,

Have you setup an internal gateway for globalprotect? That way it doesnt have to go 'outside' to connect?

 

Couple links that may help:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfXCAS

 

Regards,

Highlighted
L3 Networker

Hi,

 

To achieve what you want. You will need to create policy based forwarding for outgoing traffic and enable “symmetric Routing”. The back traffic the will be recognized automatically.

Highlighted
L1 Bithead

Hey Abdul, 

 

I have already setup a policy based forwarding or tried to which goes something like 

 

Source Internet Zone with IP (WAN Subnet IP) , Negate Destination (Local subnets) forward to next hop of WAN 1 

 

but no traffic seem to be using that policy 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!