Using PBF, you can direct traffic to a specific interface
on the firewall, drop the traffic, or direct traffic to another
virtual system (on systems enabled for multiple virtual systems).
In networks with asymmetric routes, such as in a dual ISP environment,
connectivity issues occur when traffic arrives at one interface
on the firewall and leaves from another interface. If the route
is asymmetrical, where the forward (SYN packet) and return (SYN/ACK)
paths are different, the firewall is unable to track the state of
the entire session and this causes a connection failure. To ensure
that the traffic uses a symmetrical path, which means that the traffic
arrives at and leaves from the same interface on which the session
was created, you can enable the
With symmetric return, the virtual router overrides a routing
lookup for return traffic and instead directs the flow back to the
MAC address from which it received the SYN packet (or first packet).
However, if the destination IP address is on the same subnet as
the ingress/egress interface’s IP address, a route lookup is performed
and symmetric return is not enforced. This behavior prevents traffic
from being blackholed.
To determine the next hop for symmetric returns, the firewall
uses an Address Resolution Protocol (ARP) table. The maximum number
of entries that this ARP table supports is limited by the firewall
model and the value is not user configurable. To determine the limit
for your model, use the CLI command: