topic Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take.. in General Topics https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14372#M10562 <HTML><HEAD></HEAD><BODY><P>It makes it more of an art form than a science reading the logs, because now you have to weed out the entries that say the traffic was allowed, but the application is incomplete.&nbsp; Since the firewall has to allow the traffic through until it can identify the application you get these somewhat confusing entries in the logs. </P><P></P><P>The users tend to blame the firewall for things not working and you can't really tell them "the firewall allowed it" since that's not the definitive entry, for it may or may not have blocked it further along in the conversation.</P></BODY></HTML> Wed, 25 Feb 2015 13:05:12 GMT BrianMangan 2015-02-25T13:05:12Z Palo alto fitrewall that it does not take decision upon first packet while other firewalls take.. https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14369#M10559 <HTML><HEAD></HEAD><BODY><P><BR />I came to know one thing about palo alto fitrewall that it does not take decision upon first packet, it takes decision after three way handshake.</P><P></P><P>While other firewalls take decision after first packet. What does it mean and how it is benefiical in terms of Palo alto firewalls?</P></BODY></HTML> Mon, 23 Feb 2015 12:07:10 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14369#M10559 vsingh 2015-02-23T12:07:10Z Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take.. https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14370#M10560 <HTML><HEAD></HEAD><BODY><P>Depends how you configure rules.</P><P>Let's say you want to allow web browsing.</P><P></P><P>Option A: rule allows web-browsing on any port.</P><P>PA has to allow enough traffic on any destination port to make sure if the session is web-browsing before it can make a decision. So for TCP you can do 3-way handshake on any destination port and traffic will go through until PA notices it's not web-browsing session.</P><P></P><P><SPAN style="font-size: 13.3333330154419px;">Option B: rule allows web-browsing only on application-default ports.</SPAN></P><P><SPAN style="font-size: 13.3333330154419px;">PA has to allow enough traffic on destination port 80 <SPAN style="font-size: 13.3333330154419px;">to make sure if the session <SPAN style="font-size: 13.3333330154419px;">is web-browsing before it can make a decision.</SPAN> Traffic on any other destination port will be dropped before it finishes 3 way handshake (already SYN packet will be dropped).</SPAN></SPAN></P><P><SPAN style="font-size: 13.3333330154419px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333330154419px;"><BR /></SPAN></P></BODY></HTML> Mon, 23 Feb 2015 12:32:11 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14370#M10560 santonic 2015-02-23T12:32:11Z Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take.. https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14371#M10561 <HTML><HEAD></HEAD><BODY><P>Or Option C (like any other Firewall): Allow any Application on Port 80</P><P></P><P>PAN make the decision at the first TCP SYN Packet when Traffic comes on Port 80 and allow any Traffic on Port 80</P><P></P><P><span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>..... yes i'm kidding sorry</P></BODY></HTML> Wed, 25 Feb 2015 10:52:10 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14371#M10561 MarcoLeckel 2015-02-25T10:52:10Z Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take.. https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14372#M10562 <HTML><HEAD></HEAD><BODY><P>It makes it more of an art form than a science reading the logs, because now you have to weed out the entries that say the traffic was allowed, but the application is incomplete.&nbsp; Since the firewall has to allow the traffic through until it can identify the application you get these somewhat confusing entries in the logs. </P><P></P><P>The users tend to blame the firewall for things not working and you can't really tell them "the firewall allowed it" since that's not the definitive entry, for it may or may not have blocked it further along in the conversation.</P></BODY></HTML> Wed, 25 Feb 2015 13:05:12 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-fitrewall-that-it-does-not-take-decision-upon-first/m-p/14372#M10562 BrianMangan 2015-02-25T13:05:12Z