Create a Post
Showing results for 
Search instead for 
Did you mean: 

Asymmetric Routing issue-Checkpoint

Dear Experts,

Need an advise on the below:

Attached Network diagram for one requirement and “maroon color” line is the outgoing traffic and “green” color is the return traffic.  In the Net diagram, the right hand side firewall is the checkpoint firewall. As per the network flow, the outgoing traffic flows via checkpoint and when it comes back, it is not hitting the checkpoint firewall. Looks like the traffic will be asymmetric. Just checking if the checkpoint can handle such asymmetric traffic and if any provisions to cater the same.


3 Replies

Firewalls, not just Check Point won't handle the Asymmetric Routing like that,


For a start off then it won't see the TCP Handshake complete as won't have the Syn-Ack packet back from the Syn request so won't establish a session in the state table.

As such would suggest that move the link so that on the Right Hand side that the connection comes in via a seperate interface on the Check Point, so that traffic is no longer Asymmetric and both Requests and Reply go through the Check Point.


In case you are limited on physical interfaces on the Check Point device, you can have 2 sub interfaces, or VLANs for your 1 physical interface. One VLAN being the "outside" and the other the "inside". The flow would then be as shown attached; pardon the different icons used, I don't have the same stencils that you used 🙂


Asymetric Routing is never good!
So "maroon color" is the initiating traffic?
- what about to change the gateway on the right side (that the firewall is not included)?
- or do a hide-nat on the right gateway?
- for a short time, a Inspect code perhaps makes a workaround for asymetric traffic, but a clear, symetric routing must be the goal!

Best Regards,

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events