I am planning a firewall migration right now and trying to solve the problem that traffic comes in through two different interfaces during the migration (Internet through old firewall, Internet through new firewall). I was looking at policy based forwarding and stumbeled across the "e, nforce symmetric return" option, which unfortunately is not very well documented. Did anyone here use this yet and can shed some light on it for me?
If I understand it correctly, with this feature I could simply attach a PBF rule with no matching criteria (well, "any any") to an interface, select the "No PBF" action, and enable the "enforce symmetric return". Then traffic for that interface would always be routed back through the interface it came in through. Is this right?
I think it is great to tackle new features, and I will be glad to try and answer your response.
I will attempt to write this out, but drawing it is a little easier. :smileysilly:
For ease of example:
Eth1/1 connects to ISP1 (old FW??) (184.108.40.206)
Eth1/2 connects to traffic from ISP2 (220.127.116.11)
Eth1/4 connects to subnet(s) (10.x.x.x or whatever)
In the new FW, there is only 1 static route bound, and it point to the eth1/1 interface (next hop is ISP = 18.104.22.168)
Return traffic FROM the internet, comes in on ISP2 (and therefore eth1/2) (next hop is 22.214.171.124)
The traffic goes through the FW and leaves (to the trusted network
You symmetric return would look like this:
Egress Interface eth1/4
Enable Symmetric Return
Next Hop (126.96.36.199)
The "NO PBR rule" states that it will fall back the virtual router (not what you want it to do. You NEED a PBF Foward action rule)
PBF has to match a certain policy, hence the name :smileysilly:
In this example, as with other rules managing destination NAT, be sure to use the pre-NAT value for the destination address in the PBF rule since the rules are evaluated before the NAT changes are applied.
Thanks. Trying to wrap my head around this. So in your example, outgoing traffic would go out through ISP1/old_FW (the only static route on the PA), return traffic would come in through ISP2, go into trusted and response for that would go out through ISP2 again?
Say I have a DMZ and internet uplink on new_FW and a third interface to old_FW. Some traffic for DMZ server #1 is coming in through old_FW and some is coming in through new_FW. Could I use the enforce symmetric return feature to make sure response traffic from server #1 goes out the same interface the requests came in through?
and what is the NO PBF option good for if it basically disabled PBF?
So in your example, outgoing traffic would go out through ISP1/old_FW (the only static route on the PA), return traffic would come in through ISP2, go into trusted and response for that would go out through ISP2 again?
Yes... in a sense... WHAT if traffic comes INBOUND from ISP2? The default route on the FW states to go out Eth1/1, but that is not where the traffic originated. We need to enforce symmetric return. :smileysilly:
Could I use the enforce symmetric return feature to make sure response traffic from server #1 goes out the same interface the requests came in through?
Again, if the default GW is already eth1/1, then inbound traffic from Old_FW, going into the DMZ, would already go (based on the default GW) out eth1/1 (no need to enforce)
• No PBF—Do not alter the path that the packet will take.
This is a good question. My only comment would be, depending on how granular your PBF rules are, there could be some unique matching characteristics where PBF would forward traffic, and you need to tell it to specifically NOT to do it.
I do not have a great example to provide you.
Sorry, I am still not really getting it (might be a language barrier, not a native english speaker here). Let's say:
eth1 - old FW
eth2 - new FW (default route)
eth3 - DMZ
What I want:
Traffic for DMZ comes in at eth1: Send return traffic back out eth1
Traffic for DMZ comes in at eth2: Send return traffic back out eth2
For this I would put a PBF rule on the eth4 (DMZ) interface, right? The rule: src:any - dst:any - action:forward + enforce symetric return (next hop: eth1). DId I get that right?
As for "No PBF" action: Got it! Makes sense!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!