This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2024-06-28 11:25 AM
Jump to solution

SD-WAN and symmetric return of packets from inbound connections

In the list of limitations of SD-WAN, we see this:

"PMTR-104986: For inbound connections from the internet, SD-WAN does not support the symmetric return of packets through the same interface on which the connection was originally received, in case of multiple ISPs.

The return will be determined based on the OS routes."

That seems like a very basic limitation. and a step back since it is even supported in ISP redundancy, which was already a very archaic feature.

This means that differently from IPS redundancy, which returns packets through the same interface the connection was received, SD-WAN will route traffic through the prefered OS route. Thus, you cannot have a server published through more than one isp link and one inbound NAT rule for each isp link, it will only work through one link.

The methods I found to deal with this are:

  1. Lock the server through an ISP. No redundancy.
  2. Having 2 IP addresses configured in the server and NAT rules and PBR configured for each address. (A lot of extra work)
  3. Having 2 servers running this service.  (Even more extra work!)

I'm interested to know how other people in this forum are dealing with this. Does everyone have load balancers for inbound connections? Am I missing something?

2 Solutions

Accepted Solutions
AmirArama
Employee
Employee
‎2024-06-29 03:42 AM
Jump to solution

Hi,

Indeed, this is basic limitation.

We already have the fix for it. So the return (s2c) packets will be routed back from the same ISP the connection (c2s) originally came through.

it should be merged into JHF that will be released in the next month or so for GAIA. 

As a temp workaround:

If you need the redundancy to the server works as active/backup, you can just set two default routes on your GAIA with different priorities, with "IP Reachability Detection" configured (if you want to probe the line. Otherwise just with "ping on"). So once main line is dead, the active route would be the second ISP, and then the server would be accesible through it. 

In case you need it to be accesible in parallel via multiple ISPs, i afraid only your PBR idea can work.

 

Let me know if you need further assistance,

 

View solution in original post

(1)
AmirArama
Employee
Employee
Wednesday
In response to Pedro_Espindola
Jump to solution

i would like to update that the mentioned feature is now available on GAIA GWs from R81.20 JHF 79 that was released.

in order to enable this feature after installing this JHF:

until we will make it enabled by default, it's needed to edit (or create) the file: $FWDIR/conf/sdwan/sdwan_steering_params.json 

and add this line to the file:

{ "sdw_default_symmetric_return_value" : true }

then restart the steering process:
sdwan_steering_stop;sdwan_steering_start

 

Thanks

View solution in original post

0 Kudos
4 Replies
AmirArama
Employee
Employee
‎2024-06-29 03:42 AM
Jump to solution

Hi,

Indeed, this is basic limitation.

We already have the fix for it. So the return (s2c) packets will be routed back from the same ISP the connection (c2s) originally came through.

it should be merged into JHF that will be released in the next month or so for GAIA. 

As a temp workaround:

If you need the redundancy to the server works as active/backup, you can just set two default routes on your GAIA with different priorities, with "IP Reachability Detection" configured (if you want to probe the line. Otherwise just with "ping on"). So once main line is dead, the active route would be the second ISP, and then the server would be accesible through it. 

In case you need it to be accesible in parallel via multiple ISPs, i afraid only your PBR idea can work.

 

Let me know if you need further assistance,

 

(1)
Pedro_Espindola
Advisor
‎2024-07-02 06:18 AM
In response to AmirArama
Jump to solution

Hi Amir,

Thank you for the information. That's great news!

AmirArama
Employee
Employee
‎2024-07-02 06:48 AM
In response to Pedro_Espindola
Jump to solution

You are welcome 

0 Kudos
AmirArama
Employee
Employee
Wednesday
In response to Pedro_Espindola
Jump to solution

i would like to update that the mentioned feature is now available on GAIA GWs from R81.20 JHF 79 that was released.

in order to enable this feature after installing this JHF:

until we will make it enabled by default, it's needed to edit (or create) the file: $FWDIR/conf/sdwan/sdwan_steering_params.json 

and add this line to the file:

{ "sdw_default_symmetric_return_value" : true }

then restart the steering process:
sdwan_steering_stop;sdwan_steering_start

 

Thanks

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events