topic Re: Vulnerability Protection Profile action drop, but still forwards packets in Next-Generation Firewall Discussions

Vulnerability Protection Profile action drop, but still forwards packets

Aamirjan — Thu, 09 Feb 2023 05:43:21 GMT

Hello,

A customer has a Palo Alto perimeter firewall and a Fortigate DCFW which sits behind the PA in the line of traffic when incoming from the internet .

It has been observed that in a scenario when the Palo Alto firewall which has SSL Inbound inspection enabled for all internet facing applications and the vulnerability protection signatures are said to 'drop' action, the firewall still seems to be forwarding packets to the Fortigate FW whose IPS engine gets triggered for the same vulnerability and it blocks packets from the same attacker IP address.

I want to understand if this is a bug or the recommended action should be set to a different one for this to be avoided? Ideally the traffic should never each the Fortigate.

The screenshots from the PA and Fortigate modules are attached. The PAN OS version is 9.1.15-h1.

Thank you!

Aamir

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: Vulnerability Protection Profile action drop, but still forwards packets

murali438 — Thu, 09 Feb 2023 08:47:54 GMT

Hello

Could you please validate if it is for the same source and destination IP's that you are getting the drop log on the Fortigate?

Re: Vulnerability Protection Profile action drop, but still forwards packets

Aamirjan — Thu, 09 Feb 2023 09:00:57 GMT

Hi @murali438 ,

Certainly that was the 1st thing I would have checked. The IP has been flagged by multiple entities as seen in the below link:

https://www.abuseipdb.com/check/192.99.180.188

Cheers

Aamir

Re: Vulnerability Protection Profile action drop, but still forwards packets

Aamirjan — Sun, 12 Feb 2023 04:43:54 GMT

Hello,

To provide additional info showing the same source IP being detected by the PA and Fortinet VA engines, please find the two screenshots attached.

Thanks

Aamir

Re: Vulnerability Protection Profile action drop, but still forwards packets

nikoolayy1 — Thu, 16 Feb 2023 08:51:46 GMT

I thought that made a post here but I see it no more. Strange. Did you check with pcap capture for drop and transmit state that the traffic really passes through the firewall? It could be a visual bug?

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/td-p/402102

Also defenetly check that the SSL decryption is working for the source IP that you see in the attack as maybe not every time traffic is decrypted. Too bad that you are not using 10.x as it has SSL decryption tab that makes life easier.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption

And just in case check the release notes.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/known-issues/known-issues-related-to-pan-os-9-1-releases/pan-os-9-1-15-known-issues

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/known-issues/known-issues-related-to-pan-os-9-1-releases