- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-29-2019 08:29 PM
I recently submitted a case to PA support about 1 of the internet facing interface cannot contact outside nor contact from outside. Use ping to diagnostic and found that the ping (request) and ping (reply) use 2 different route ).
This is because the 2 interfaces has its own zone and for different purpose:
1. Staff use the 1st data line, and use the 2nd data line if first one down.
2. Guest use only the second data line.
This was achive by NAT and Policy Based Forwarding.
The problematic one is the 2nd interface which has the issue of asymmetric routing.
But I setup only 1 virtual router which the static route of 1st data line has its priority higher. This cause the outgoing always use 1st interface, return from 2nd interface.
PA support suggest I merge the 2 interfaces in to the same zone. But I doubt this may violate to the network design mentioned above.
Is there anyway to force the 2nd interface outgoing and incoming always use the same route?
01-30-2019 05:32 AM
What about if you point your default route to your 2nd data line, then do a PBF to force traffic (for staff only if thats what your requirement is) to go out via 1st data line then enable "enforce symmetric return" option?
On the PBF rule you would then enable monitoring so if the gateway for the 1st data line is unreachable the failover to the 2nd data line works by going out via the default route after the PBF rule is disabled as per option "Disable this rule if nexthop/monitor is unreachable"
Cheers,
Luke.
01-30-2019 07:36 PM
hello LukeBullimore,
If I set the 2nd data line to higher priority. Will the same problem happen on the 1st data line?
In my current settings, user subnet can use the 2nd data line to reach internet. Only the interface cannot. I want to use this interface for send alert email and get PAN-OS update.
1st data line has no service route need. But I still hope it can be ping.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!