How to Configure Symmetric Return
Symptom
This document shows a simple configuration of the Symmetric Return or Return to Sender feature
Environment
- Palo Alto Firewall.
- Symmetric Return
Resolution
This feature forwards the packet to the MAC address from where the SYN or lost packet was received. This ensures return traffic follows the same interface which the session created and is useful in asymmetric routing or Dual ISP environments.
Example: Topology
In the above diagram, traffic from the client 5.1.1.1 can reach the internal server 192.168.83.2 via two public IPs 1.1.1.83 and 2.1.1.83. Both of these public IPs do a destination translation to the internal server. If traffic arrives at the internal server via ISP1 on Ethernet 1/1, then the return traffic is returned via Ethernet 1/1 instead of the default route Ethernet 1/2 as shown in the diagram below.
NAT
- INCOMING_NAT-ISP-1 and 2 rules are for translating the public IP address to internal server IP 192.168.83.2
- ISP1NAT and ISP2NAT are for outbound traffic when traffic is leaving to ISP1 and ISP2 respectively
Network
Routing
- The firewall is configured with only one default route going through ISP2.
PBF
- Symmetric return is based on PBF.
- Create a PBF rule for incoming traffic into the firewall for sending the return traffic from the firewall to the same ingress interface as received.
- Because the symmetric return is based on interfaces, select the Source Type as Interface.
NOTE: Zone is not a valid configuration. Also, the loopback interface and tunnel interface are not valid since there is no mac-address associated with them.
- Select the destination IP address as the internal IP address of the server.
- Configure the Next Host IP address if Destination Network is not directly connected.
- Ethernet 1/6 is selected as the egress interface because the internal server is on the same segment.
- If the internal server is not on the same subnet then, specify the next hop to reach in the NEXT HOP field.
- Select the IP address of ISP1 as the next hop (1.1.1.84).
- Verify the symmetric route return is working, run the following commands:
> show session id 6149
Session 6149
c2s flow:
source: 5.1.1.1 [DMZ]
dst: 1.1.1.83
proto: 1
sport: 13812 dport: 3
state: INIT type: FLOW
src user: unknown
dst user: unknown
pbf rule: ISP1-PBF 1
s2c flow:
source: 192.168.83.2 [L3-Trust]
dst: 5.1.1.1
proto: 1
sport: 3 dport: 13812
state: INIT type: FLOW
src user: unknown
dst user: unknown
pbf rule: ISP1-PBF 1
symmetric return mac: 00:1b:17:05:8c:10
start time : Tue Jan 8 16:23:55 2013
timeout : 6 sec
total byte count(c2s) : 98
total byte count(s2c) : 98
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 1
vsys : vsys1
application : ping
rule : all
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
address/port translation : source + destination
nat-rule : INCOMING_NAT-ISP-1(vsys1)
layer7 processing : enabled
URL filtering enabled : FalseThe firewall is matching the PBF rule created.
In the output below, you can see the return mac where traffic is being sent.
> show pbf return-mac all
current pbf configuation version: 0
total return nexthop addresses : 8
index pbf id ver hw address ip address
return mac egress port
--------------------------------------------------------------------------------
7 1 2 00:1b:17:05:8c:10 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
2 1 0 00:00:00:00:00:00 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
6 1 1 00:1b:17:05:8c:10 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
8 1 2 00:00:00:00:00:00 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
5 1 1 00:00:00:00:00:00 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
9 1 3 00:1b:17:05:8c:10 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
1 1 0 00:1b:17:05:8c:10 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
10 1 3 00:00:00:00:00:00 1.1.1.84
00:1b:17:05:8c:10 ethernet1/1
maximum of ipv4 return mac entries supported : 500
total ipv4 return mac entries in table : 2
total ipv4 return mac entries shown : 2
status: s - static, c - complete, e - expiring, i - incomplete
pbf rule id ip address hw address port status ttl
--------------------------------------------------------------------------------
ISP1-PBF 1 1.1.1.84 00:1b:17:05:8c:10 ethernet1/1 s 1603
ISP1-PBF 1 5.1.1.1 00:1b:17:05:8c:10 ethernet1/1 c 1800
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/1
egress interface : ethernet1/6
session QoS rule : N/A (class 4)
LIMITATION
The device can support up to 8 IP addresses (verified on 820 and 5410, 30 on 5220).
admin@PA-820> show system state | match max-return-address
cfg.general.max-return-address: 0x8
According to this limitation, we can configure up to 8 rules with one address (even if it is the same address).
There may be fewer rules with more than one address, but the total must be eight.