Palo Alto Networks Knowledgebase: How to Configure Symmetric Return

How to Configure Symmetric Return

28266
Created On 09/25/18 17:19 PM - Last Updated 10/11/19 16:29 PM
Mobile Network Infrastructure 5.0 PAN-OS
Symptom
This document shows a simple configuration of the Symmetric Return or Return to Sender feature in PAN-OS 5.0.

Environment
PAN-OS 5.0

Resolution
This feature forwards the packet to the MAC address from where the SYN or lost packet was received.  This ensures return traffic follows the same interface which the session created and is useful in an asymmetric routing or Dual ISP environments.

Example: Topology

ss1.png

In the above diagram, traffic from the client 5.1.1.1 can reach the internal server 192.168.83.2 via two public IPs 1.1.1.83 and 2.1.1.83.  Both of these public IPs do a destination translation to the internal server.  If traffic arrives at internal server via ISP1 on Ethernet 1/1, then the return traffic is returned via Ethernet 1/1 instead of the default route Etherenet 1/2 as shown in diagram below.

 

ss2.png

NAT

ss3.png

  • INCOMING_NAT-ISP-1 and 2 rules are for translating the public IP address to internal server IP 192.168.83.2
  • ISP1NAT and ISP2NAT are for outbound traffic when traffic is leaving to the ISP1 and ISP2 respectively


Network

ss4.png

 

Routing

ss5.png

  • The firewall is configured with only one default route going through ISP2.

 

PBF

  • Symmetric return is based on PBF.
  • Create a PBF rule for incoming traffic into the firewall for sending the return traffic from the firewall to the same ingress interface as received.

ss6.png

  • Because symmetric return is based on interfaces, select the Source Type as Interface.

Note: Zone is not a valid configuration.  Also, tunnel interface is not valid since there are no mac-address associated with the tunnels.

ss7.png

  • Select the destination IP address as the internal IP address of the server.
  • Configure Next Host IP address if Destination Network is not directly connected.

ss8.png

  • Ethernet 1/6 is selected as the egress interface because the internal server is on the same segment.
  • If internal server is not on same server then, specify next hop to reach in NEXT HOP field.
  • Select the IP address of ISP1 as next hop (1.1.1.84).
  • Verify the symmetric route return is working, run the following commands:

    > show session id 6149
    Session            6149
            c2s flow:
                    source:      5.1.1.1 [DMZ]
                    dst:         1.1.1.83
                    proto:       1
                    sport:       13812           dport:      3
                    state:       INIT            type:       FLOW
                    src user:    unknown
                    dst user:    unknown
                    pbf rule:    ISP1-PBF 1

            s2c flow:
                    source:      192.168.83.2 [L3-Trust]
                    dst:         5.1.1.1
                    proto:       1
                    sport:       3               dport:      13812
                    state:       INIT            type:       FLOW
                    src user:    unknown
                    dst user:    unknown
                    pbf rule:    ISP1-PBF 1
                    symmetric return mac: 00:1b:17:05:8c:10

            start time                    : Tue Jan  8 16:23:55 2013
            timeout                       : 6 sec
            total byte count(c2s)         : 98
            total byte count(s2c)         : 98
            layer7 packet count(c2s)      : 1
            layer7 packet count(s2c)      : 1
            vsys                          : vsys1
            application                   : ping
            rule                          : all
            session to be logged at end   : True
            session in session ager       : False
            session synced from HA peer   : False
            address/port translation      : source + destination
            nat-rule                      : INCOMING_NAT-ISP-1(vsys1)
            layer7 processing             : enabled
            URL filtering enabled         : False

    The firewall is matching the PBF rule created.

    In the output below, you can see the return mac where traffic is being sent.

    > show pbf return-mac all
    current pbf configuation version:   0
    total return nexthop addresses :    8

    index   pbf id  ver  hw address          ip address
                         return mac          egress port
    --------------------------------------------------------------------------------
    7       1       2    00:1b:17:05:8c:10   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1
    2       1       0    00:00:00:00:00:00   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1
    6       1       1    00:1b:17:05:8c:10   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1
    8       1       2    00:00:00:00:00:00   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1
    5       1       1    00:00:00:00:00:00   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1
    9       1       3    00:1b:17:05:8c:10   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1
    1       1       0    00:1b:17:05:8c:10   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1
    10      1       3    00:00:00:00:00:00   1.1.1.84
                         00:1b:17:05:8c:10   ethernet1/1

    maximum of ipv4 return mac entries supported :     500
    total ipv4 return mac entries in table :           2
    total ipv4 return mac entries shown :              2
    status: s - static, c - complete, e - expiring, i - incomplete

    pbf rule        id   ip address      hw address        port         status   ttl
    --------------------------------------------------------------------------------
    ISP1-PBF        1    1.1.1.84        00:1b:17:05:8c:10 ethernet1/1    s      1603
    ISP1-PBF        1    5.1.1.1         00:1b:17:05:8c:10 ethernet1/1    c      1800

            session via syn-cookies       : False
            session terminated on host    : False
            session traverses tunnel      : False
            captive portal session        : False
            ingress interface             : ethernet1/1
            egress interface              : ethernet1/6
            session QoS rule              : N/A (class 4)



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language