https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259484#M50892 <P>Hi,&nbsp;</P><P>I managed to resolved the issue, NAT and PBR. All seems to be working now, but still testing.&nbsp;</P><P>Regards,</P><P>Salom</P> Wed, 08 Oct 2025 19:14:16 GMT Salom_Idhogela 2025-10-08T19:14:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252022#M49361 <P>Hi Team,</P><P>This is my second post on the Check Point community, and I must say I find this platform extremely helpful in resolving many of my concerns.</P><P>I’m seeking your expert opinion on a requirement we’re working on: ensuring that return traffic is routed through the same interface it originally arrived on.</P><P>As illustrated in the attachment, we need to publish a single web application using two public IP addresses provided by two different ISPs. For example, let’s say we’re publishing the website <STRONG>example.com</STRONG> to the internet. DNS load balancing (round-robin) is being used to distribute requests between the two IP addresses.</P><P>Here’s the current scenario:</P><OL><LI><P>Traffic coming to <STRONG>x.x.x.x (ISP1)</STRONG> is NATed to <STRONG>z.z.z.z</STRONG>, and since the firewall’s default route points to ISP1, return traffic is successfully routed back via ISP1.</P></LI><LI><P>However, traffic arriving at <STRONG>y.y.y.y (ISP2)</STRONG> is also NATed to <STRONG>z.z.z.z</STRONG>, but the return traffic is still sent out via ISP1 due to the default route. As a result, the application doesn’t work properly when accessed via ISP2.</P></LI></OL><P>&nbsp;</P><P>Could you please confirm whether this type of return routing (i.e., symmetric routing based on incoming interface) can be achieved using Check Point? If so, i would appreciate your guidance on how to implement it. If not, are there any recommended workarounds?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 26 Jun 2025 13:39:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252022#M49361 Thisara_Dilshan 2025-06-26T13:39:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252081#M49367 <P>If any feature allows for this, it's ISP Redundancy.<BR />However, I suspect what you're looking for is an RFE.</P> Thu, 26 Jun 2025 17:32:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252081#M49367 PhoneBoy 2025-06-26T17:32:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252088#M49368 <P>I see what Phoneboy is saying. ISP redundancy also came to my mind when I saw the diagram.</P> <P>Andy</P> Thu, 26 Jun 2025 18:21:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252088#M49368 the_rock 2025-06-26T18:21:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252258#M49388 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for sharing your input.&nbsp;</P><P>Yes. This is working fine with ISP Redundancy. However, in this specific customer environment, they want to utilize PBR to route some specific traffic as well. In that case, PBR is not working once we enable the ISP redundancy. I guess PBR is not supported with ISP redundancy.&nbsp;&nbsp;</P><P>&nbsp;</P><P><A href="https://support.checkpoint.com/results/sk/sk167135" target="_blank">https://support.checkpoint.com/results/sk/sk167135</A></P> Mon, 30 Jun 2025 13:34:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252258#M49388 Thisara_Dilshan 2025-06-30T13:34:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252259#M49389 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for sharing your input. For this specific customer we need both ISP redundancy and PBR working together. Is there any workaround for the PBR concern?</P> Mon, 30 Jun 2025 13:38:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252259#M49389 Thisara_Dilshan 2025-06-30T13:38:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252260#M49390 <P>According to below, still not supported.</P> <P>Andy</P> <P><A href="https://support.checkpoint.com/results/sk/sk167135" target="_blank">https://support.checkpoint.com/results/sk/sk167135</A></P> Mon, 30 Jun 2025 13:41:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252260#M49390 the_rock 2025-06-30T13:41:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252280#M49391 <P>Which definitely makes what the customer wants to do an RFE.</P> Mon, 30 Jun 2025 14:57:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/252280#M49391 PhoneBoy 2025-06-30T14:57:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259479#M50888 <P>I have the same issue, did you get help. It looks like checkpoint stafeful firewalling is not working anymore.</P><P>Regards,</P><P>Salom</P> Wed, 08 Oct 2025 18:28:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259479#M50888 Salom_Idhogela 2025-10-08T18:28:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259480#M50889 <P>ISP redundancy or SDWAN is the solution for this. However, PBR is not working when using ISP redundancy. So, the ideal solution would be to use SDWAN for Symmetric Packet Return.</P><P><A href="https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Quantum-SD-WAN-Admin-Guide/Content/Topics-SD-WAN/Symmetric-Packet-Return.htm#:~:text=Symmetric%20Packet%20Return%20supports%20SD,IP%20address%20(without%20NAT" target="_blank">https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Quantum-SD-WAN-Admin-Guide/Content/Topics-SD-WAN/Symmetric-Packet-Return.htm#:~:text=Symmetric%20Packet%20Return%20supports%20SD,IP%20address%20(without%20NAT</A>).</P> Wed, 08 Oct 2025 18:33:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259480#M50889 Thisara_Dilshan 2025-10-08T18:33:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259481#M50890 <P>Definitely sd-wan.</P> Wed, 08 Oct 2025 18:38:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259481#M50890 the_rock 2025-10-08T18:38:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259482#M50891 <P>what do you mean by it is not working anymore? Check out also new SD-wan features in upcomming released</P> Wed, 08 Oct 2025 18:44:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259482#M50891 Lesley 2025-10-08T18:44:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259484#M50892 <P>Hi,&nbsp;</P><P>I managed to resolved the issue, NAT and PBR. All seems to be working now, but still testing.&nbsp;</P><P>Regards,</P><P>Salom</P> Wed, 08 Oct 2025 19:14:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Routing-the-return-Traffic-Through-the-Same-incoming-interface/m-p/259484#M50892 Salom_Idhogela 2025-10-08T19:14:16Z