SD-WAN Symmetric Packet Return

Example SD-WAN Topology

  1. An SD-WAN Security Gateway is connected to two ISPs:

    • Interface eth2 connects to ISP #1.

      The default route on the SD-WAN Security Gateway is through the interface eth2 (ISP #1).

    • Interface eth4 connects to ISP #2.

  2. Two internal servers connect to the SD-WAN Security Gateway:

    • FTP Server connects to the interface eth1.

    • Web Server connects to the interface eth3.

Traffic Flow Through an SD-WAN Security Gateway Without Symmetric Packet Return

Note - The asymmetric packet return is the default behavior in these Security Gateway versions:

When the SD-WAN Security Gateway uses the Asymmetric Packet Return:

  1. A request traffic "Client-to-Server" ("C2S") arrives from a Client (through an ISP) to the SD-WAN Security Gateway (in our example, at either interface eth2 or interface eth4).

  2. The SD-WAN Security Gateway passes the request traffic (if the Security Policy allows it) to the internal Server (in our example, through either interface eth1 or interface eth3).

  3. A response traffic "Server-to-Client" ("S2C") from an internal Server arrives at the SD-WAN Security Gateway (in our example, at either interface eth1 or interface eth3).

  4. The SD-WAN Security Gateway passes the response traffic (if the Security Policy allows it) to the Next Hop Gateway.

    By default, the SD-WAN Security Gateway always passes the response traffic to the Next Hop Gateway based on the configured default route (in our example, through the interface eth2).

    Based on our example:

    • If a request traffic arrived through ISP #1 at the interface eth2, then the Security Gateway sends response traffic through the same interface eth2.

    • If a request traffic arrived through ISP #2 at the interface eth4, then the Security Gateway also sends response traffic through the interface eth2.

    As a result, these issue occur:

    • A stateful Firewall at an ISP that did not pass the original request traffic, may drop this response traffic.

    • Traffic distribution through the Security Gateway interfaces is not optimal, because it sends all outbound traffic through the same interface.

    Possible workarounds:

    • Configure Policy Based Routing (PBR) rules based on the internal source IP address for the return (that is the original destination of the inbound traffic).

      See the Gaia Advanced Routing Administration Guide for your version.

    • Configure the default route in which the next hop gateway is the ISP, from which the inbound traffic arrives and through which the traffic should return.

      For static routes, see the Gaia Administration Guide for your version.

      For dynamic routes, see the Gaia Advanced Routing Administration Guide for your version.

Traffic Flow Through an SD-WAN Security Gateway With Symmetric Packet Return

Note - The symmetric packet return is the default behavior in these Security Gateway versions:

When the SD-WAN Security Gateway uses the Symmetric Packet Return:

  1. A request traffic "Client-to-Server" ("C2S") arrives from a Client (through an ISP) to the SD-WAN Security Gateway (in our example, at either interface eth2 or interface eth4).

  2. The SD-WAN Security Gateway passes the request traffic (if the Security Policy allows it) to the internal Server (in our example, through either interface eth1 or interface eth3).

  3. A response traffic "Server-to-Client" ("S2C") from an internal Server arrives at the SD-WAN Security Gateway (in our example, at either interface eth1 or interface eth3).

  4. The SD-WAN Security Gateway passes the response traffic (if the Security Policy allows it) to the Next Hop Gateway.

    By default, the SD-WAN Security Gateway always passes the response traffic to the Next Hop Gateway of the original ISP that sent the request traffic.

    Based on our example:

    • If a request traffic arrived through ISP #1 at the interface eth2, then the Security Gateway sends response traffic through the same interface eth2.

    • If a request traffic arrived through ISP #2 at the interface eth4, then the Security Gateway sends response traffic through the same interface eth4.

Controlling the Symmetric Packet Return for a specific SD-WAN interface:

By default, the SD-WAN Policy enables the Symmetric Packet Return on all SD-WAN interfaces (Public and Private) defined in the WAN Link Mapping on supported Security Gateways.

You can disable the Symmetric Packet Return for SD-WAN interfaces in two ways.

  1. Log in to Check Point Infinity Portal.

  2. Click the top left Menu > in the section Quantum, click SD-WAN.

  3. From the left navigation panel, click Network.

  4. In the middle section, click WAN Link Mapping (see WAN Link Mapping).

  5. Edit the applicable interface for the applicable SD-WAN Security Gateway.

  6. In the WAN Link Mapping Rule window, expand the Advanced Settings section at the bottom.

  7. Configure the applicable setting:

    • Select Inbound Symmetric Return to enable the Symmetric Packet Return for this specific interface.

      This is the default.

      Best Practice - Select this option for Public WAN Links.

    • Clear Inbound Symmetric Return to disable the Symmetric Packet Return for this specific interface.

      Best Practice - Clear this option for Private WAN Links.

  8. Click OK.

  9. From the top toolbar, click Publish to save the changes.

  10. From the top toolbar, click Enforce to apply the changes.

    The orange frame on this button means there are changes that are not enforced.

    In the popup window that opens, click Publish & Enforce Policy.

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • This configuration has higher priority than the settings in Infinity Portal.

  • This configuration applies to all SD-WAN interfaces on the Security Gateway.

  • This configuration does not survive an upgrade to a higher major version.

  1. Connect to the command line on the Security Gateway / each Cluster Member.

  2. Log in.

  3. If your default shell is Gaia Clish, then go to the Expert mode:

    expert

  4. Modify the $FWDIR/conf/sdwan/sdwan_steering_params.json file:

    1. If the file $FWDIR/conf/sdwan/sdwan_steering_params.json exists, create a backup copy.

      Otherwise, create this file.

      Run this long command:

      if [ -f $FWDIR/conf/sdwan/sdwan_steering_params.json ] ; then echo "Creating the backup ..." ; cp -v $FWDIR/conf/sdwan/sdwan_steering_params.json{,BKP} ; else echo "Creating the file ..." ; touch $FWDIR/conf/sdwan/sdwan_steering_params.json ; stat $FWDIR/conf/sdwan/sdwan_steering_params.json ; fi

    2. Edit the $FWDIR/conf/sdwan/sdwan_steering_params.json file:

      vi $FWDIR/conf/sdwan/sdwan_steering_params.json

    3. If this file is empty, then add all these lines.

      If this file already contains other configuration parameters, then add this configuration parameter on a new line:

      • To enable the Symmetric Packet Return for all local SD-WAN interfaces:

        {
    "sdw_default_symmetric_return_value" : true
}

      • To disable the Symmetric Packet Return for all local SD-WAN interfaces:

        {
    "sdw_default_symmetric_return_value" : false
}

    4. Save the changes in the file and exit the editor.

  5. Restart the SD-WAN Steering process:

    sdwan_steering_stop ; sdwan_steering_start

Notes:

  • Symmetric Packet Return supports SD-WAN interfaces for ISP lines of type Private (for example, MPLS) and of type Public.

    Consider disabling this feature on private interfaces if you want dynamic routing to control the return traffic instead of enforcing symmetric return paths.

  • Symmetric Packet Return supports inbound traffic to servers behind the Security Gateway that are accessible directly with a Public IP address (without NAT).

  • Symmetric Packet Return supports inbound traffic to servers behind the Security Gateway that are accessible with a Private IP address behind NAT - a device in front of the Security Gateway performs this NAT.

  • Symmetric Packet Return supports inbound traffic, also when the Security Gateway performs Inbound HTTPS Inspection for that connection.

  • Symmetric Packet Return supports inbound traffic to servers behind the Security Gateway that are accessible with a Private IP address behind NAT - the Security Gateway performs this NAT.

    The NAT IP address can be one of these:

    • The IP address of the external Security Gateway interface - configure the required Static NAT rules.

    • An IP address from a NAT Pool that contains IP addresses from a different subnet than the external Security Gateway interface.

      The Next Hop Gateway device will need to route this NAT Pool towards the point-to-point Security Gateway interface.

    • An IP address from a NAT Pool that contains IP addresses from the same subnet as the external Security Gateway interface.

      You must configure:

      • Static NAT rules.

      • Proxy ARP on the Security Gateway:

        • If you configure Manual NAT, then you must follow sk30197 (for Security Gateway) / sk114531 (for Quantum Spark).

        • If you configure Automatic NAT, the Security Gateway performs Proxy ARP automatically.

Limitations in Symmetric Packet Return:

  • Symmetric Packet Return does not support inbound traffic sent to the Security Gateway itself (and not through the Security Gateway) - HTTPS, SSH, Remote Access VPN (on roadmap).

    For such inbound requests, the Security Gateway sends its response based on its routing table.

    Possible workaround on the Security Gateway:

    1. Configure the IP Reachability Detection feature.

      See the Gaia Advanced Routing Administration Guide for your version > Chapter "IP Reachability Detection".

    2. Select the configured Monitored IP address in the static default route.

      In the route's Gateway, configure such a priority value that:

      1. Users connect first to the Security Gateway through the public IP address of the main ISP (best priority).

      2. If this connection fails, the users connect to the Security Gateway through the public IP address of the another ISP.

      Note - The lower the priority value, the higher the preference.

      See the Gaia Administration Guide for your version > Chapter "Network Management" > Section "IPv4 Static Routes".

  • Symmetric Packet Return supports inbound traffic only in these cases:

    • The inbound traffic did not match any SD-WAN rule.

    • The inbound traffic matches an SD-WAN rule with the Steering Behavior of type "Overlay" ("Local Breakout" is not supported).

  • Symmetric Packet Return does not support traffic that arrives as already encrypted over the Site to Site VPN tunnel.