How to Configure Symmetric Return

How to Configure Symmetric Return

Created On 09/25/18 17:19 PM - Last Modified 09/01/23 08:24 AM


This document shows a simple configuration of the Symmetric Return or Return to Sender feature


  • Palo Alto Firewall.
  • Symmetric Return


This feature forwards the packet to the MAC address from where the SYN or lost packet was received.  This ensures return traffic follows the same interface which the session created and is useful in asymmetric routing or Dual ISP environments.

Example: Topology


In the above diagram, traffic from the client can reach the internal server via two public IPs and  Both of these public IPs do a destination translation to the internal server.  If traffic arrives at the internal server via ISP1 on Ethernet 1/1, then the return traffic is returned via Ethernet 1/1 instead of the default route Ethernet 1/2 as shown in the diagram below.





  • INCOMING_NAT-ISP-1 and 2 rules are for translating the public IP address to internal server IP
  • ISP1NAT and ISP2NAT are for outbound traffic when traffic is leaving to ISP1 and ISP2 respectively






  • The firewall is configured with only one default route going through ISP2.



  • Symmetric return is based on PBF.
  • Create a PBF rule for incoming traffic into the firewall for sending the return traffic from the firewall to the same ingress interface as received.


  • Because the symmetric return is based on interfaces, select the Source Type as Interface.

NOTE: Zone is not a valid configuration.  Also, the loopback interface and tunnel interface are not valid since there is no mac-address associated with them.


  • Select the destination IP address as the internal IP address of the server.
  • Configure the Next Host IP address if Destination Network is not directly connected.


  • Ethernet 1/6 is selected as the egress interface because the internal server is on the same segment.
  • If the internal server is not on the same subnet then, specify the next hop to reach in the NEXT HOP field.
  • Select the IP address of ISP1 as the next hop (
  • Verify the symmetric route return is working, run the following commands:

    > show session id 6149
    Session            6149
            c2s flow:
                    source: [DMZ]
                    proto:       1
                    sport:       13812           dport:      3
                    state:       INIT            type:       FLOW
                    src user:    unknown
                    dst user:    unknown
                    pbf rule:    ISP1-PBF 1

            s2c flow:
                    source: [L3-Trust]
                    proto:       1
                    sport:       3               dport:      13812
                    state:       INIT            type:       FLOW
                    src user:    unknown
                    dst user:    unknown
                    pbf rule:    ISP1-PBF 1
                    symmetric return mac: 00:1b:17:05:8c:10

            start time                    : Tue Jan  8 16:23:55 2013
            timeout                       : 6 sec
            total byte count(c2s)         : 98
            total byte count(s2c)         : 98
            layer7 packet count(c2s)      : 1
            layer7 packet count(s2c)      : 1
            vsys                          : vsys1
            application                   : ping
            rule                          : all
            session to be logged at end   : True
            session in session ager       : False
            session synced from HA peer   : False
            address/port translation      : source + destination
            nat-rule                      : INCOMING_NAT-ISP-1(vsys1)
            layer7 processing             : enabled
            URL filtering enabled         : False

    The firewall is matching the PBF rule created.

    In the output below, you can see the return mac where traffic is being sent.

    > show pbf return-mac all
    current pbf configuation version:   0
    total return nexthop addresses :    8

    index   pbf id  ver  hw address          ip address
                         return mac          egress port
    7       1       2    00:1b:17:05:8c:10
                         00:1b:17:05:8c:10   ethernet1/1
    2       1       0    00:00:00:00:00:00
                         00:1b:17:05:8c:10   ethernet1/1
    6       1       1    00:1b:17:05:8c:10
                         00:1b:17:05:8c:10   ethernet1/1
    8       1       2    00:00:00:00:00:00
                         00:1b:17:05:8c:10   ethernet1/1
    5       1       1    00:00:00:00:00:00
                         00:1b:17:05:8c:10   ethernet1/1
    9       1       3    00:1b:17:05:8c:10
                         00:1b:17:05:8c:10   ethernet1/1
    1       1       0    00:1b:17:05:8c:10
                         00:1b:17:05:8c:10   ethernet1/1
    10      1       3    00:00:00:00:00:00
                         00:1b:17:05:8c:10   ethernet1/1

    maximum of ipv4 return mac entries supported :     500
    total ipv4 return mac entries in table :           2
    total ipv4 return mac entries shown :              2
    status: s - static, c - complete, e - expiring, i - incomplete

    pbf rule        id   ip address      hw address        port         status   ttl
    ISP1-PBF        1        00:1b:17:05:8c:10 ethernet1/1    s      1603
    ISP1-PBF        1         00:1b:17:05:8c:10 ethernet1/1    c      1800

            session via syn-cookies       : False
            session terminated on host    : False
            session traverses tunnel      : False
            captive portal session        : False
            ingress interface             : ethernet1/1
            egress interface              : ethernet1/6
            session QoS rule              : N/A (class 4)

    The device can support up to 8 IP addresses (verified on 820 and 5410, 30 on 5220).
    admin@PA-820> show system state | match max-return-address
    cfg.general.max-return-address: 0x8

    According to this limitation, we can configure up to 8 rules with one address (even if it is the same address).
    There may be fewer rules with more than one address, but the total must be eight.

  • Print
  • Copy Link

Choose Language