topic Inspection of traffic with PPPoE headers in General Topics

Inspection of traffic with PPPoE headers

Daniel_Bloom — Fri, 02 Sep 2022 02:08:09 GMT

I'm attempting to use a PA-440 in vwire mode to inspect traffic that is on the internet side of a broadband modem for security analysis. The traffic passes through the PA ok but non of the security policies seem to be triggered and no traffic logs are generated. Does anyone know if the Palo Alto firewall will inspect traffic that contains a PPPoE header?

I took a packet capture using the PA firewall and the flows look fine except for the PPP/PPPoE header. Wireshark decodes the applications correctly but not sure why the PA firewall doesn't generate any sessions or traffic logs.

I have a standard allow all rule in with logging enabled.

Re: Inspection of traffic with PPPoE headers

Neubauer — Mon, 05 Sep 2022 09:05:55 GMT

Security policy rules don’t apply to Layer 2 packets which might be the reason you don't see any live sessions or traffic logs. If you don't have defined any tags in the virtual wire object, untagged traffic is allowed without an explicit rule.

You should still be able to capture PPPoE packets tho. Is the filter configured to include non-IP traffic?

Re: Inspection of traffic with PPPoE headers

Daniel_Bloom — Mon, 05 Sep 2022 23:35:35 GMT

I don't actually need the policies to apply to the PPPoE header, but would like the firewall to be able to inspect the layer 3-7 data like it normally would on traffic without the PPPoE header. From what I've observed, when the PPPoE header is also included in the packet the firewall just ignores the rest of the data. I did think about tunnel inspection policies but these don't apply to PPPoE only GRE/VXLAN

There are no VLAN tags on this traffic but I've tested with and without tags defined on the vwire without success.

The capture filter did not include non-IP traffic.