https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151729#M24932 <P>As long as the firewall is receiving both the c2s and s2c flow of packets and antispoofing is not violated, traffic coming back on a different interface than it left on will work to my knowledge.&nbsp; If one of the flows is bypassing the firewall completely that will not work.</P> Fri, 24 Jun 2022 19:28:41 GMT Timothy_Hall 2022-06-24T19:28:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151499#M24817 <P>Assuming that anti spoofing is disabled, is there any issue&nbsp; if&nbsp; the gateways routes traffic towards a physical interfaces and the response returns to the same firewall on a different interface?<BR />I am planning a migration and I could be in this scenario for a few minutes.&nbsp;<BR />I was wondering if any security feature could be sensitive to this scenario or the gateway will just process the traffic.<BR /><BR /><BR /></P> Wed, 22 Jun 2022 15:03:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151499#M24817 Luis_Miguel_Mig 2022-06-22T15:03:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151512#M24822 <P>I do not think that you will experience any issues besides warnings and all existing sessions being dropped until reconnected.</P> <P>The only caveat is if you are using Zones and if both interfaces expected to carry asymmetric traffic are the members of the same zone.</P> <P>Are you planning to disable anti-spoofing globally or in select interfaces' properties?</P> <P>Better to get a second opinion here before trying though...</P> Wed, 22 Jun 2022 16:00:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151512#M24822 Vladimir 2022-06-22T16:00:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151518#M24824 <P>SecureXL will put the initial ingress/egress interfaces in the forwarding table and use that for all packets on the connection.<BR />Not exactly sure what would happen if it receives a packet on the wrong interface.<BR />I would test this in the lab to confirm it doesn't break anything.</P> Wed, 22 Jun 2022 19:02:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151518#M24824 PhoneBoy 2022-06-22T19:02:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151729#M24932 <P>As long as the firewall is receiving both the c2s and s2c flow of packets and antispoofing is not violated, traffic coming back on a different interface than it left on will work to my knowledge.&nbsp; If one of the flows is bypassing the firewall completely that will not work.</P> Fri, 24 Jun 2022 19:28:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/151729#M24932 Timothy_Hall 2022-06-24T19:28:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/152326#M25388 <P>Thanks</P> Tue, 05 Jul 2022 10:38:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/not-so-asymmetric-traffic/m-p/152326#M25388 Luis_Miguel_Mig 2022-07-05T10:38:24Z