When should I use "enforce symmetric return" in the PBF rules?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

When should I use "enforce symmetric return" in the PBF rules?

L3 Networker

What is the purpose of this setting? Doesn't all traffic go out the same route as it came in, anyway?


Cyber Elite
Cyber Elite

The only use case that I can think of off hand is asymetrical routing, this would ensure that your PBF rule actually gets the return traffic. 


* Gives a nice breakdown of why you would actually use it. 


That article mentions dual ISP's, and I do have dual ISP with PBF rules for failover. So traffic that comes in one ISP goes out the same ISP.

So by enabling this option, I can have traffic coming in one IP, and out a different IP? Like in ISP1 and out ISP2? That sounds exactly the opposite of enforcing symmetric return.

Hi @Maxstr


@BPry is right. The only case where you would need to use Symmetric Return is to ensure that the traffic returns through the same path where it originally came in. Regardless of having dual ISP you still can use this feature as all you want to achieve is to make sure the traffic is kept in a symmetrical fashion.


Although the article below mentions two ISPs, the only reason the author mentions that is because he want to show that redundancy is possible by configuring duplicated security and NAT policies, but notice that he only needed to configure one set of PBF policies to achieve what he wants which is to keep the traffic symmetrical.



Now responding your question:

Doesn't all traffic go out the same route as it came in, anyway? The answer here is depend. And the reason I say that is because it depends on what the backend server default gateway is. Imagine that the traffic coming in is going to a server, which the default gateway is not the firewall, but a router. It means that the response out to the client will source from a different IP, which will incur ina broken (Rejected) connection.


The below link is for an F5 Networks article that explains this scenario, and it tells you exactly what the behavior of an asymmetrical routing issue would be especially when dealing with NAT or in our case here PBF.



I hope this helps.



Thanks for the reply. The one thing that still confuses me is that when you enable Enforce Symmetric on the PBF rule, it opens up the box below it titled "Next hop address list" on the bottom.

If it were enforcing the same return path, why would you need to provide additional next-hop IP's?



There's a part in the above article that mentions all of that but,

'Configure Next Host IP address if Destination Network is not directly connected'

You have to remember that a PBF with symmetric return is essentially a routing policy that is simply processed pre-routing table. So you have to essentially provide all available routing options for people that actually need them to be present. 

sorry for digging out this years old threat but I have been trying to find some more detailled information on this but it seems some in depth insight of how this works is difficult to find...

Of course shortly after posting this I found the technical answer:

So for anyone who is/was wondering how its actually done, its explained there... answered all my open questions 🙂

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!