This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thisara_Dilshan
Explorer
‎2025-06-26 12:29 AM

Routing the return Traffic Through the Same incoming interface

Hi Team,

This is my second post on the Check Point community, and I must say I find this platform extremely helpful in resolving many of my concerns.

I’m seeking your expert opinion on a requirement we’re working on: ensuring that return traffic is routed through the same interface it originally arrived on.

As illustrated in the attachment, we need to publish a single web application using two public IP addresses provided by two different ISPs. For example, let’s say we’re publishing the website example.com to the internet. DNS load balancing (round-robin) is being used to distribute requests between the two IP addresses.

Here’s the current scenario:

  1. Traffic coming to x.x.x.x (ISP1) is NATed to z.z.z.z, and since the firewall’s default route points to ISP1, return traffic is successfully routed back via ISP1.

  2. However, traffic arriving at y.y.y.y (ISP2) is also NATed to z.z.z.z, but the return traffic is still sent out via ISP1 due to the default route. As a result, the application doesn’t work properly when accessed via ISP2.

 

Could you please confirm whether this type of return routing (i.e., symmetric routing based on incoming interface) can be achieved using Check Point? If so, i would appreciate your guidance on how to implement it. If not, are there any recommended workarounds?

 

 

Preview file
42 KB
0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2025-06-26 10:32 AM

If any feature allows for this, it's ISP Redundancy.
However, I suspect what you're looking for is an RFE.

0 Kudos
Thisara_Dilshan
Explorer
‎2025-06-30 06:34 AM
In response to PhoneBoy

Hi @PhoneBoy 

 

Thanks for sharing your input. 

Yes. This is working fine with ISP Redundancy. However, in this specific customer environment, they want to utilize PBR to route some specific traffic as well. In that case, PBR is not working once we enable the ISP redundancy. I guess PBR is not supported with ISP redundancy.  

 

https://support.checkpoint.com/results/sk/sk167135

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-30 07:57 AM
In response to Thisara_Dilshan

Which definitely makes what the customer wants to do an RFE.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-26 11:21 AM

I see what Phoneboy is saying. ISP redundancy also came to my mind when I saw the diagram.

Andy

0 Kudos
Thisara_Dilshan
Explorer
‎2025-06-30 06:38 AM
In response to the_rock

@the_rock 

 

Thanks for sharing your input. For this specific customer we need both ISP redundancy and PBR working together. Is there any workaround for the PBR concern?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-30 06:41 AM
In response to Thisara_Dilshan

According to below, still not supported.

Andy

https://support.checkpoint.com/results/sk/sk167135

0 Kudos
Salom_Idhogela
Collaborator
Wednesday

I have the same issue, did you get help. It looks like checkpoint stafeful firewalling is not working anymore.

Regards,

Salom

0 Kudos
Thisara_Dilshan
Explorer
Wednesday
In response to Salom_Idhogela

ISP redundancy or SDWAN is the solution for this. However, PBR is not working when using ISP redundancy. So, the ideal solution would be to use SDWAN for Symmetric Packet Return.

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Quantum-SD-WAN-Admin-Guide/Co...).

0 Kudos
the_rock
MVP Gold
MVP Gold
Wednesday
In response to Thisara_Dilshan

Definitely sd-wan.

0 Kudos
Salom_Idhogela
Collaborator
Wednesday
In response to Thisara_Dilshan

Hi, 

I managed to resolved the issue, NAT and PBR. All seems to be working now, but still testing. 

Regards,

Salom

Lesley
MVP Gold
MVP Gold
Wednesday
In response to Salom_Idhogela

what do you mean by it is not working anymore? Check out also new SD-wan features in upcomming released

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events