ingress/egress interfaces part of firewall session?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ingress/egress interfaces part of firewall session?

L0 Member

Hello,

I'd like to configure a NGFW with dual routed interfaces on some zone, call it "outside." If some host on the inside zone initiates  traffic to the outside zone, traffic will egress through one or the other outside interfaces, if the return traffic ingresses via the other interface, will the FW drop that traffic?  In other words, are the ingress and egress interfaces tracked as part of the FW session and must be symmetric or just the zones? In this packet flow doc, interfaces are not mentioned as part of the 6-tuple that comprises a flow (zones are).

Packet Flow Sequence in PAN-OS - Knowledge Base - Palo Alto Networks

 

It would actually seem a little weird (to me) that interfaces are NOT tracked, but ¯\_(ツ)_/¯

(this doc indicates that interfaces actually ARE tracked: Egress Path and Symmetric Return (paloaltonetworks.com), but it discusses traffic initiated from the outside and using a feature to handle returning that traffic symmetrically - this doesn't help me. Also the flow doc should be updated, if that's true)

 

Is there a nerd-knob that disables specific interface tracking?

I have other options, but 2 basic ospf links is the most straight forward.

 

Thank you for considering!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @H.Tendrup ,

 

As you mentioned, the interface is NOT part of the 6-tuple key that identifies a session.  If the traffic comes in a different interface but the same zone, it will NOT be dropped.

 

You mentioned the hypothetical zone "outside".  If you are considering dual-ISPs, then the traffic out one interface will be NATed to the IP address on that interface which would dictate the return traffic coming back in the same interface.

 

If the 2 interfaces are L3, you will want to enable ECMP.  For a dual-ISP scenario, you would want to enable symmetric return for VPN traffic.  Interfaces are tracked for symmetric return, but they don't define the session.  The doc you posted refers to PBF.  Using routing for ECMP is more straightforward.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

L3 Networker

Hello @H.Tendrup 

The asymmetric path monitoring feature can be configured in two ways:

  1. Global configuration: This applies the monitoring to all zones on the device.
  2. Zone protection: This allows you to configure monitoring for individual zones.

For more information on configuring asymmetric path monitoring, please refer to the following document:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK

Jorge Pomachagua
PCNSE, PCNSC.

Cyber Elite
Cyber Elite

Hi @H.Tendrup ,

 

As you mentioned, the interface is NOT part of the 6-tuple key that identifies a session.  If the traffic comes in a different interface but the same zone, it will NOT be dropped.

 

You mentioned the hypothetical zone "outside".  If you are considering dual-ISPs, then the traffic out one interface will be NATed to the IP address on that interface which would dictate the return traffic coming back in the same interface.

 

If the 2 interfaces are L3, you will want to enable ECMP.  For a dual-ISP scenario, you would want to enable symmetric return for VPN traffic.  Interfaces are tracked for symmetric return, but they don't define the session.  The doc you posted refers to PBF.  Using routing for ECMP is more straightforward.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 712 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!