05-24-2013 02:51 AM
Hi,
I am planning a firewall migration right now and trying to solve the problem that traffic comes in through two different interfaces during the migration (Internet through old firewall, Internet through new firewall). I was looking at policy based forwarding and stumbeled across the "e, nforce symmetric return" option, which unfortunately is not very well documented. Did anyone here use this yet and can shed some light on it for me?
If I understand it correctly, with this feature I could simply attach a PBF rule with no matching criteria (well, "any any") to an interface, select the "No PBF" action, and enable the "enforce symmetric return". Then traffic for that interface would always be routed back through the interface it came in through. Is this right?
Thanks
Sascha
05-25-2013 09:04 AM
Hello,
Here's a good document with a network diagram which can help,
Hope that helps!
Thanks,
Aditi
05-24-2013 05:45 AM
Hi Sascha
I think it is great to tackle new features, and I will be glad to try and answer your response.
I will attempt to write this out, but drawing it is a little easier. :smileysilly:
For ease of example:
Eth1/1 connects to ISP1 (old FW??) (1.1.1.2)
Eth1/2 connects to traffic from ISP2 (2.2.2.1)
Eth1/4 connects to subnet(s) (10.x.x.x or whatever)
In the new FW, there is only 1 static route bound, and it point to the eth1/1 interface (next hop is ISP = 1.1.1.102)
Return traffic FROM the internet, comes in on ISP2 (and therefore eth1/2) (next hop is 2.2.2.101)
The traffic goes through the FW and leaves (to the trusted network
You symmetric return would look like this:
SOURCE (eth1/2)
Destination (10.x,x,x)
ACTION: Forward
Egress Interface eth1/4
Enable Symmetric Return
Next Hop (2.2.2.101)
The "NO PBR rule" states that it will fall back the virtual router (not what you want it to do. You NEED a PBF Foward action rule)
PBF has to match a certain policy, hence the name :smileysilly:
In this example, as with other rules managing destination NAT, be sure to use the pre-NAT value for the destination address in the PBF rule since the rules are evaluated before the NAT changes are applied.
05-24-2013 08:47 AM
Thanks. Trying to wrap my head around this. So in your example, outgoing traffic would go out through ISP1/old_FW (the only static route on the PA), return traffic would come in through ISP2, go into trusted and response for that would go out through ISP2 again?
Say I have a DMZ and internet uplink on new_FW and a third interface to old_FW. Some traffic for DMZ server #1 is coming in through old_FW and some is coming in through new_FW. Could I use the enforce symmetric return feature to make sure response traffic from server #1 goes out the same interface the requests came in through?
and what is the NO PBF option good for if it basically disabled PBF?
05-24-2013 10:51 AM
So in your example, outgoing traffic would go out through ISP1/old_FW (the only static route on the PA), return traffic would come in through ISP2, go into trusted and response for that would go out through ISP2 again?
Yes... in a sense... WHAT if traffic comes INBOUND from ISP2? The default route on the FW states to go out Eth1/1, but that is not where the traffic originated. We need to enforce symmetric return. :smileysilly:
Could I use the enforce symmetric return feature to make sure response traffic from server #1 goes out the same interface the requests came in through?
Again, if the default GW is already eth1/1, then inbound traffic from Old_FW, going into the DMZ, would already go (based on the default GW) out eth1/1 (no need to enforce)
• No PBF—Do not alter the path that the packet will take.
This is a good question. My only comment would be, depending on how granular your PBF rules are, there could be some unique matching characteristics where PBF would forward traffic, and you need to tell it to specifically NOT to do it.
I do not have a great example to provide you.
05-24-2013 11:23 AM
Sorry, I am still not really getting it (might be a language barrier, not a native english speaker here). Let's say:
eth1 - old FW
eth2 - new FW (default route)
eth3 - DMZ
What I want:
Traffic for DMZ comes in at eth1: Send return traffic back out eth1
Traffic for DMZ comes in at eth2: Send return traffic back out eth2
For this I would put a PBF rule on the eth4 (DMZ) interface, right? The rule: src:any - dst:any - action:forward + enforce symetric return (next hop: eth1). DId I get that right?
As for "No PBF" action: Got it! Makes sense! 
Thanks!
05-24-2013 02:56 PM
You are somewhat correct.
My recommendation is I do not think you can put the src any and dest any.... you must create a policy, otherwise it matches ALL traffic.
Create an address group object of all subnets or addresses that you want to enforce on eth1
05-25-2013 02:27 AM
Yes sure, but I do want to match all traffic. I want all return traffic from the DMZ to go out the interface the requests came in through.
05-25-2013 10:29 AM
It sure does, Aditi. Thanks a lot. It's basically how I understood in the first place (except for that I was thinking the PBF rules should be bound to the DMZ Interface, but it's the other way around). Kudos!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
