Enable ECMP.

(Optional) Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. This configures the firewall to use the ingress interface when sending return packets instead of the ECMP interface, which means that the Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.

By default, IKE and IPSec traffic originating at the firewall egresses an interface that the ECMP load-balancing method determines. Select Strict Source Path to ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs. Enable Strict Source Path when the firewall has more than one ISP providing equal-cost paths to the same destination. The ISPs typically perform a Reverse Path Forwarding (RPF) check (or a different check to prevent IP address spoofing) to confirm that the traffic is egressing the same interface on which it arrived. Because ECMP by default chooses an egress interface based on the configured ECMP method (instead of choosing the source interface as the egress interface), that will not be what the ISP expects and the ISP can block legitimate return traffic. In this use case, enable Strict Source Path so that the firewall uses the egress interface that is the interface to which the source IP address of the IPSec tunnel belongs.

Select the maximum number of equal-cost paths: (2, 3, or 4) to a destination network that can be copied from the RIB to the FIB (default is 2).