06-23-2017 07:48 AM
What is the purpose of this setting? Doesn't all traffic go out the same route as it came in, anyway?
06-23-2017 07:56 AM - edited 06-23-2017 07:58 AM
The only use case that I can think of off hand is asymetrical routing, this would ensure that your PBF rule actually gets the return traffic.
* Gives a nice breakdown of why you would actually use it.
06-23-2017 08:24 AM
06-23-2017 11:02 AM
Hi @Maxstr
@BPry is right. The only case where you would need to use Symmetric Return is to ensure that the traffic returns through the same path where it originally came in. Regardless of having dual ISP you still can use this feature as all you want to achieve is to make sure the traffic is kept in a symmetrical fashion.
Although the article below mentions two ISPs, the only reason the author mentions that is because he want to show that redundancy is possible by configuring duplicated security and NAT policies, but notice that he only needed to configure one set of PBF policies to achieve what he wants which is to keep the traffic symmetrical.
Now responding your question:
Doesn't all traffic go out the same route as it came in, anyway? The answer here is depend. And the reason I say that is because it depends on what the backend server default gateway is. Imagine that the traffic coming in is going to a server, which the default gateway is not the firewall, but a router. It means that the response out to the client will source from a different IP, which will incur ina broken (Rejected) connection.
The below link is for an F5 Networks article that explains this scenario, and it tells you exactly what the behavior of an asymmetrical routing issue would be especially when dealing with NAT or in our case here PBF.
I hope this helps.
06-23-2017 11:54 AM - edited 06-23-2017 11:56 AM
Thanks for the reply. The one thing that still confuses me is that when you enable Enforce Symmetric on the PBF rule, it opens up the box below it titled "Next hop address list" on the bottom.
If it were enforcing the same return path, why would you need to provide additional next-hop IP's?
06-23-2017 01:36 PM
There's a part in the above article that mentions all of that but,
'Configure Next Host IP address if Destination Network is not directly connected'
You have to remember that a PBF with symmetric return is essentially a routing policy that is simply processed pre-routing table. So you have to essentially provide all available routing options for people that actually need them to be present.
12-15-2020 01:48 AM - edited 12-15-2020 01:56 AM
sorry for digging out this years old threat but I have been trying to find some more detailled information on this but it seems some in depth insight of how this works is difficult to find...
Of course shortly after posting this I found the technical answer:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/policy-based-forwarding/pbf/egress...
So for anyone who is/was wondering how its actually done, its explained there... answered all my open questions 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
