topic How to avoid internet traffic inspection in General Topics

How to avoid internet traffic inspection

arpitshrm84 — Mon, 16 Jan 2023 06:20:36 GMT

Hi, how can I avoid internet traffic inspection from my PA. We already have a PA inspecting the internet traffic and we want to setup this particular PA for only inspecting the internal traffic.

TIA

Re: How to avoid internet traffic inspection

aleksandar.astardzhiev — Mon, 16 Jan 2023 15:05:49 GMT

Hi @arpitshrm84 ,

Your question is too broad and generic, are you able to provide some high-level diagram and brief explanation of your setup?

But in general, Palo Alto is applying (the so called) deep packet inspection, by specifying Security Profiles, for each traffic rule. Which means, that you can create traffic rule matching the traffic you don't want to inspect (source/destination addresses and ports) and just don't apply any Security Profiles for this traffic.

Re: How to avoid internet traffic inspection

arpitshrm84 — Tue, 17 Jan 2023 02:11:36 GMT

Hi, thank you very much for your response.
Let me explain a bit more in detail.

As of now, we have a branch office which is connected to the DC. So, the internet traffic is coming to the DC and going out through the Internet PA. now, we want to put another PA between branch office and DC which should inspect only the internal network (10.0.0.0/8) since the internet traffic will be anyway inspected by the internet PA.

Current Setup:

Branch Office —— DC—— Internet PA

Proposed Setup:

Branch Office — Internal PA— DC—— Internet PA

What is the best solution for this. Can application override achieve this?

TIA

Re: How to avoid internet traffic inspection

Raido_Rattameister — Tue, 17 Jan 2023 05:54:01 GMT

By default Palo performs application identification.

You can add security profiles into security policy to enable IPS feature.

If you don't want IPS then don't add security profile into security policy.

If you want to see what threats pass by but don't want to block then create security profiles in alert mode to set traffic inspection into IDS mode instead of IPS.

Application override is generally bad practice as this will make Palo dumb router and it will only look first 4 layers and don't try to identify application at all.

Re: How to avoid internet traffic inspection

arpitshrm84 — Tue, 17 Jan 2023 06:42:06 GMT

Hi, many thanks for your response.

What about the throughput of the internal PA. If we put none in the security profile, will the PA process it as L4 or L7. With application override, it will be L4 for sure. We just want to see which PA is suitable for us considering the throughput required.

Re: How to avoid internet traffic inspection

Raido_Rattameister — Tue, 17 Jan 2023 06:48:25 GMT

You can see throughput of different models by visiting following link

https://www.paloaltonetworks.com/products/product-selection

App-ID firewall throughput - security profile not set

Threat prevention throughput - security profiles configured

Security profile not set is layer 7 as firewall needs to identify application.

Application override is definitely layer 4 and you will loose all next generation firewall capabilities using it.

Re: How to avoid internet traffic inspection

arpitshrm84 — Wed, 18 Jan 2023 06:18:44 GMT

Hi, many thanks for your help.