Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Miguel_Mig
Advisor

not so asymmetric traffic

Assuming that anti spoofing is disabled, is there any issue  if  the gateways routes traffic towards a physical interfaces and the response returns to the same firewall on a different interface?
I am planning a migration and I could be in this scenario for a few minutes. 
I was wondering if any security feature could be sensitive to this scenario or the gateway will just process the traffic.


0 Kudos
4 Replies
Vladimir
Champion
Champion

I do not think that you will experience any issues besides warnings and all existing sessions being dropped until reconnected.

The only caveat is if you are using Zones and if both interfaces expected to carry asymmetric traffic are the members of the same zone.

Are you planning to disable anti-spoofing globally or in select interfaces' properties?

Better to get a second opinion here before trying though...

0 Kudos
PhoneBoy
Admin
Admin

SecureXL will put the initial ingress/egress interfaces in the forwarding table and use that for all packets on the connection.
Not exactly sure what would happen if it receives a packet on the wrong interface.
I would test this in the lab to confirm it doesn't break anything.

0 Kudos
Timothy_Hall
Champion
Champion

As long as the firewall is receiving both the c2s and s2c flow of packets and antispoofing is not violated, traffic coming back on a different interface than it left on will work to my knowledge.  If one of the flows is bypassing the firewall completely that will not work.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos
Luis_Miguel_Mig
Advisor

Thanks

0 Kudos