you'll have many 'incomplete' sessions in one zone , and many non-syn-tcp in the other zone for incoming connections
outgoing you will not notice as the host will likely 'stick' to one interface for all/some of it's sessions.
only if the dual-homed system is set up as a gateway/router/... to pass along packets, you may see unexpected IP addresses in either zone. this can be addressed by enabling anti spoofing in a zone protection profile
Depending on the routing configured on these hosts there is no way to detect these hosts. Unlike what @Thyrion wrote, it does not need to be the case that you will see a lot of incomplete sessions or sessions with wrong source IPs in the wrong zones so if these hosts are configured correctly then also the anti spoofing feature does not help to prevent such connections.
So the best way probably to resolve these issues is to find out how it is possible for these hosts to simultanously connect to multiple networks behind your firewall and then try to implement preventions to eliminate this possibility for the users. If this still need to be possible for at least some computers, make sure you secure the network as good as possible from both security zones 😉
@vsys_remo incoming connections on one interface of the dual-homed system will be replied to via the default route (with the lowest metric) on the host. one interface will handle incoming connections properly, while the other will send replies out of the 'wrong' interface.
this is just a single potential way to find dual homed hosts, and not a necessity
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!