Symmetric Return Details - DNAT - PBF Out or PBF In return Symmetric

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Symmetric Return Details - DNAT - PBF Out or PBF In return Symmetric

L4 Transporter

Symmetric Return Details - DNAT - PBF Out or PBF In return Symmetric

 

Hello Live Community, good evening, as always, thanks for the good vibes, the collaboration and your time.

 

One doubt, I have managed to validate this behavior associated to environment, with two or three ISP Internet links, when I point 2 DNAT to the same IP. And of course to force that the ISP, which does not have the default route, can enter and exit through the same link.

Now my doubt is the following, and I have not been able to check it: This also applies or eventually would also apply when it is not the same destination Host ?

 

Example:

 

4 Servers ( on the same Network 10.0.1.0/24 ) , that all of them, their default routes point to the Primary ISP. But 2 of these servers, must be Nateados/DNAT, with the Public IPs of the secondary link, which has no default route, ECMP is not enabled in the AP, and these two servers go out to the Internet through the main one. For the case of these 2 servers, which will use public IPs of the second link, should I also configure a PBF, with symmetric return, as detailed in Link, or better to force the output with an output PBF, so that the output goes through the secondary link for these 2 servers and there is no issue with the DNAT and the symmetric return? What do you recommend, the PBF for the symmetrical return, or the PBF to force the output of those through the secondary?

 

I know it is bad practice, to use DNAT, and expose services to the Internet, I know it is, but you know for certain specific cases it is necessary. The connections are protected, it opens only the necessary ports and apps and if it is possible it is filtered by Origin, of Public IP of known and valid origin.

 

Link:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK

 

Thanks, I remain attentive

 

Best regards

High Sticker
1 REPLY 1

Community Team Member

Hi @Metgatz ,

 

Thanks for your question. I would recommend you enforce symmetric return through PBF to go through ISP2 if you have users actively using the public IPs advertised from ISP2. As far as default route for the 2 servers, you could choose to have them go out ISP2 for redundancy if that is something you would like to implement.

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1053 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!