TCP 179 BGP port exposed to non direct neighbour or multi-hop neighbor, no rules in place allowing such traffic - still reachable

ColinCant — Fri, 13 May 2022 06:05:37 GMT

Hi,

We just got pinged by security that our Palo's are exposing their TCP 179 to the internet while we utilize BGP as routing protocol to our next hops.

Now we haven't got any explicit rule which should allow TCP 179 on the public side, and yet a non BGP next hop device can reach 179, while we do not have an explicit rule about the routing protocol in place.

How does that work? and how can I limit the exposure of TCP 179 to only my next-hop neighbor?

Thanks

Re: TCP 179 BGP port exposed to non direct neighbour or multi-hop neighbor, no rules in place allowing such traffic - still reachable

PavelK — Fri, 13 May 2022 10:03:55 GMT

Thank you for the post @ColinCant

my best guess is that BGP traffic is hitting rule: intrazone-default which by default has action allow. If your firewall is configured to build BGP peer with a BGP neighbor on internet by using local interface then this is not crossing two different zones, so unless you have a rule to block a traffic within zone this will be allowed.

In order to mitigate this, I would place a rule on the top to allow TCP 179 between your IP on Firewall and IP address you are peering with, then place another rule below that to block everything else. Before I put this configuration in, I would also check log to see there is no legitimate intra-zone traffic. For example ipsec tunnel terminating session on untrust interface.

Kind Regards

Pavel

topic TCP 179 BGP port exposed to non direct neighbour or multi-hop neighbor, no rules in place allowing such traffic - still reachable in General Topics

TCP 179 BGP port exposed to non direct neighbour or multi-hop neighbor, no rules in place allowing such traffic - still reachable

Re: TCP 179 BGP port exposed to non direct neighbour or multi-hop neighbor, no rules in place allowing such traffic - still reachable