topic Re: Bypassing "Packets dropped: forwarded to different zone" limitation in General Topics

Bypassing "Packets dropped: forwarded to different zone" limitation

Carracido — Mon, 08 Nov 2021 10:43:41 GMT

Dear community!

I´d like to consult with you for a possible solution for this scenario:

We have 2 internet lines from two interfaces of the PAN firewall connected to two different routers. Each interface is in a different zone.

When incoming and returning packets follow different paths then we have an asymmetric routing condition. Situation similar to this one:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK

We configured the firewall to bypass the non-SYN-TCP check but we still have packets dropped with counter "Packets dropped: forwarded to different zone"

Having both external interfaces in the same zone fixes the issue but we´d like to have them in different zones.

A possible workaround could be using a PBF as in this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK
But this is also not an option because the return mac entries supported is not big enough for all the incoming sessions, meaning the firewall will drop new sessions when table is full.

+ Is there a workaround to bypass the "Packets dropped: forwarded to different zone" counter and allow the firewall to forward s2c traffic to a different zone?

Thank you!

Re: Bypassing "Packets dropped: forwarded to different zone" limitation

kiwi — Tue, 09 Nov 2021 14:19:25 GMT

Hi @Carracido ,

I saw the same behavior with an A/A HA-setup. Are you in the same setup ?

If so, have you considered changing the session setup options ?

For more info please check:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/session-setup.html

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/session-owner.html

Hope this helps,

-Kiwi.

Re: Bypassing "Packets dropped: forwarded to different zone" limitation

Carracido — Wed, 10 Nov 2021 02:30:10 GMT

Hi @kiwi,

Thank you for the answer.

No we don´t have A/A HA-setup so that wouln´t be a solution for our scenario.

Cheers!

Re: Bypassing "Packets dropped: forwarded to different zone" limitation

aleksandar.astardzhiev — Wed, 10 Nov 2021 12:59:03 GMT

Hi @Carracido ,

You mentioned you have disabled the non-SYN TCP check, but did you set "assimetric path" to bypass?

Have you allowed assymetric path globally or per zone with zone protection profile?

I haven't faced a situation like this and I am working that is the actuall purpose of keeping the two ISP connection in different zones?

Re: Bypassing "Packets dropped: forwarded to different zone" limitation

Carracido — Tue, 16 Nov 2021 09:18:21 GMT

Hi @aleksandar.astardzhiev ,

We tried allowing assymetric path both globally and per zone, still the same issue.

The purpose of keeping in different zones the two ISP connections is for having more granularity in the security policies.

Kind Regards.

Re: Bypassing "Packets dropped: forwarded to different zone" limitation

aleksandar.astardzhiev — Tue, 16 Nov 2021 09:47:08 GMT

Hi @Carracido ,

What are you gaining from this granularity? Does the benefits you will gain deserve adding such complexity?

Don't get wrong - as I said I haven't work with such setup and I am insteresed in the motives and are there any other acceptable solutions.

I was hoping for the asymetric pass to do the trick...It is very unlickly, but are you applying any IP spoofing protection with the zone-protection profile?