Routing the return Traffic Through the Same incomi...

Thisara_Dilshan · ‎2025-06-26

Hi Team,

This is my second post on the Check Point community, and I must say I find this platform extremely helpful in resolving many of my concerns.

I’m seeking your expert opinion on a requirement we’re working on: ensuring that return traffic is routed through the same interface it originally arrived on.

As illustrated in the attachment, we need to publish a single web application using two public IP addresses provided by two different ISPs. For example, let’s say we’re publishing the website example.com to the internet. DNS load balancing (round-robin) is being used to distribute requests between the two IP addresses.

Here’s the current scenario:

Traffic coming to x.x.x.x (ISP1) is NATed to z.z.z.z, and since the firewall’s default route points to ISP1, return traffic is successfully routed back via ISP1.
However, traffic arriving at y.y.y.y (ISP2) is also NATed to z.z.z.z, but the return traffic is still sent out via ISP1 due to the default route. As a result, the application doesn’t work properly when accessed via ISP2.

Could you please confirm whether this type of return routing (i.e., symmetric routing based on incoming interface) can be achieved using Check Point? If so, i would appreciate your guidance on how to implement it. If not, are there any recommended workarounds?

PhoneBoy · ‎2025-06-26

If any feature allows for this, it's ISP Redundancy.
However, I suspect what you're looking for is an RFE.

Thisara_Dilshan · ‎2025-06-30

Hi @PhoneBoy

Thanks for sharing your input.

Yes. This is working fine with ISP Redundancy. However, in this specific customer environment, they want to utilize PBR to route some specific traffic as well. In that case, PBR is not working once we enable the ISP redundancy. I guess PBR is not supported with ISP redundancy.

https://support.checkpoint.com/results/sk/sk167135

PhoneBoy · ‎2025-06-30

Which definitely makes what the customer wants to do an RFE.

the_rock · ‎2025-06-26

I see what Phoneboy is saying. ISP redundancy also came to my mind when I saw the diagram.

Andy

Best,
Andy

Thisara_Dilshan · ‎2025-06-30

@the_rock

Thanks for sharing your input. For this specific customer we need both ISP redundancy and PBR working together. Is there any workaround for the PBR concern?

the_rock · ‎2025-06-30

According to below, still not supported.

Andy

https://support.checkpoint.com/results/sk/sk167135

Best,
Andy

Salom_Idhogela · ‎2025-10-08

I have the same issue, did you get help. It looks like checkpoint stafeful firewalling is not working anymore.

Regards,

Salom

Thisara_Dilshan · ‎2025-10-08

ISP redundancy or SDWAN is the solution for this. However, PBR is not working when using ISP redundancy. So, the ideal solution would be to use SDWAN for Symmetric Packet Return.

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Quantum-SD-WAN-Admin-Guide/Co...).

the_rock · ‎2025-10-08

Definitely sd-wan.

Best,
Andy

Salom_Idhogela · ‎2025-10-08

Hi,

I managed to resolved the issue, NAT and PBR. All seems to be working now, but still testing.

Regards,

Salom

Lesley · ‎2025-10-08

what do you mean by it is not working anymore? Check out also new SD-wan features in upcomming released

-------
Please press "Accept as Solution" if my post solved it 🙂

Are you a member of CheckMates?

Routing the return Traffic Through the Same incoming interface