09-26-2024 10:23 AM
Hello,
I'd like to configure a NGFW with dual routed interfaces on some zone, call it "outside." If some host on the inside zone initiates traffic to the outside zone, traffic will egress through one or the other outside interfaces, if the return traffic ingresses via the other interface, will the FW drop that traffic? In other words, are the ingress and egress interfaces tracked as part of the FW session and must be symmetric or just the zones? In this packet flow doc, interfaces are not mentioned as part of the 6-tuple that comprises a flow (zones are).
Packet Flow Sequence in PAN-OS - Knowledge Base - Palo Alto Networks
It would actually seem a little weird (to me) that interfaces are NOT tracked, but ¯\_(ツ)_/¯
(this doc indicates that interfaces actually ARE tracked: Egress Path and Symmetric Return (paloaltonetworks.com), but it discusses traffic initiated from the outside and using a feature to handle returning that traffic symmetrically - this doesn't help me. Also the flow doc should be updated, if that's true)
Is there a nerd-knob that disables specific interface tracking?
I have other options, but 2 basic ospf links is the most straight forward.
Thank you for considering!
09-26-2024 11:57 AM
Hi @H.Tendrup ,
As you mentioned, the interface is NOT part of the 6-tuple key that identifies a session. If the traffic comes in a different interface but the same zone, it will NOT be dropped.
You mentioned the hypothetical zone "outside". If you are considering dual-ISPs, then the traffic out one interface will be NATed to the IP address on that interface which would dictate the return traffic coming back in the same interface.
If the 2 interfaces are L3, you will want to enable ECMP. For a dual-ISP scenario, you would want to enable symmetric return for VPN traffic. Interfaces are tracked for symmetric return, but they don't define the session. The doc you posted refers to PBF. Using routing for ECMP is more straightforward.
Thanks,
Tom
09-26-2024 11:14 AM
Hello @H.Tendrup
The asymmetric path monitoring feature can be configured in two ways:
For more information on configuring asymmetric path monitoring, please refer to the following document:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK
09-26-2024 11:57 AM
Hi @H.Tendrup ,
As you mentioned, the interface is NOT part of the 6-tuple key that identifies a session. If the traffic comes in a different interface but the same zone, it will NOT be dropped.
You mentioned the hypothetical zone "outside". If you are considering dual-ISPs, then the traffic out one interface will be NATed to the IP address on that interface which would dictate the return traffic coming back in the same interface.
If the 2 interfaces are L3, you will want to enable ECMP. For a dual-ISP scenario, you would want to enable symmetric return for VPN traffic. Interfaces are tracked for symmetric return, but they don't define the session. The doc you posted refers to PBF. Using routing for ECMP is more straightforward.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
