PBF -Symmetric Return Details
Hello, good evening, as always, thanks for the good vibes, the collaboration and your time.
One doubt, I have managed to validate this behavior associated to environment, with two or three ISP Internet links, when I point 2 DNAT to the same IP. And of course to force that the ISP, which does not have the default route, can enter and exit through the same link.
Now my doubt is the following, and I have not been able to check it: This also applies or eventually would also apply when it is not the same destination Host ?
Example:
4 Servers ( on the same Network 10.0.1.0/24 ) , that all of them, their default routes point to the Primary ISP. But 2 of these servers, must be Nateados/DNAT, with the Public IPs of the secondary link, which has no default route, ECMP is not enabled in the AP, and these two servers go out to the Internet through the main one. For the case of these 2 servers, which will use public IPs of the second link, should I also configure a PBF, with symmetric return, as detailed in Link, or better to force the output with an output PBF, so that the output goes through the secondary link for these 2 servers and there is no issue with the DNAT and the symmetric return? What do you recommend, the PBF for the symmetrical return, or the PBF to force the output of those through the secondary?
I know it is bad practice, to use DNAT, and expose services to the Internet, I know it is, but you know for certain specific cases it is necessary. The connections are protected, it opens only the necessary ports and apps and if it is possible it is filtered by Origin, of Public IP of known and valid origin.
Link:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK
Thanks, I remain attentive
Best regards
Outbound would work for outbound sessions, I think your question was regarding incoming connections?
best way i see this working is to create a PBF rule on ISP2 link that redirects incoming connections (use ports, not app-id) to the ISP2 IPs to the correct server, and then set symmetric return to the ISP2 router nexthop