topic Re: arp Flooding in General Topics

arp Flooding

Jameslee20 — Tue, 24 Sep 2024 17:39:31 GMT

Cisco router is getting flooding from Palo Alto firewall

Source NAT is basic getting scan from outside random countries

We deal with users in other countries and blocking by countries will not work.

the ranges from outside to our public ip address

It looks like a scanning because it's rang of our public ip address

what can we do to stop it or protection

it looks like this but i'm using private as example but they are scanning our two /24 pubic ip address

192.168.20.1 port

192.168.20.3 port

192.168.20.5 port

192.168.20.16 port

Etc...

Re: arp Flooding

Raido_Rattameister — Tue, 24 Sep 2024 17:52:10 GMT

Traffic is like this?

Internet > Palo > Cisco router

Does Palo have NAT policy that this traffic matches?

Can you share it?

Re: arp Flooding

Jameslee20 — Tue, 24 Sep 2024 19:52:52 GMT

it doesn't match with some ports or vaild ip address and Palo alto send the arp request who has the port or ip address to it

some people is doing random scanning to thos invaild ports and invaild ip address

we do have vaild ports and vaild but not all is used

Re: arp Flooding

Brandon_Wertz — Tue, 24 Sep 2024 20:53:28 GMT

@Jameslee20 wrote:

Cisco router is getting flooding from Palo Alto firewall

Source NAT is basic getting scan from outside random countries

We deal with users in other countries and blocking by countries will not work.

the ranges from outside to our public ip address

It looks like a scanning because it's rang of our public ip address

what can we do to stop it or protection

it looks like this but i'm using private as example but they are scanning our two /24 pubic ip address

192.168.20.1 port

192.168.20.3 port

192.168.20.5 port

192.168.20.16 port

Etc...

I want to clarify what you're saying is actually going on:

"Cisco router is getting flooding from Palo Alto firewall" ... "It looks like a scanning because it's rang of our public ip address"

What is your boundary architecture? ISP <--> Border Router <--> Palo FW ?? Is this how your edge is deployed?

If I described your boundary correct does your border router "own" your public IP space? When you say that the Palo is "flooding" your Cisco router, are you meaning that the downstream Palo is "arping" out for IPs that the border router owns? If all of what I described is true, then my suspicion is that the L3 interface object on your PA firewall is set as wrong mask. If the IP object is a /24 for instance, but the /24 is actually owned by the upstream router then the Palo will actually ARP out for all IPs in the /24. In this instance the IP object on the L3 interface of the Palo needs to just be a /32. Converting the IP object to a /32 will stop the upstream Cisco Border router from seeing the Palo flood it.

Hopefully this is getting at what you're seeing. If not please clarify.

Re: arp Flooding

Jameslee20 — Tue, 24 Sep 2024 22:08:58 GMT

ISP <--> Cisco Router <--> palo alto firewall

outside -- > cisco router than to Palo Alto Firewall

When firewall see invalid port or our Public ip address it forwards ARP flood asking the router where this ip address or this address with port
Palo Alto has default out to the Cisco Router and when we did packet capture 69% of was ARP flooding asking where is this

Re: arp Flooding

Jameslee20 — Tue, 24 Sep 2024 22:12:20 GMT

When we search for the public ip address for the Source NAT they were /32.

I mean i can double check we didn't see a /24 and saw /32 for source NAT

Re: arp Flooding

Jameslee20 — Tue, 24 Sep 2024 22:17:01 GMT

I'm trying to look for Port scanning protection from scanning from outside

Do know what is call or name of it

Re: arp Flooding

Brandon_Wertz — Wed, 25 Sep 2024 12:27:22 GMT

@Jameslee20 wrote:

ISP <--> Cisco Router <--> palo alto firewall

outside -- > cisco router than to Palo Alto Firewall

When firewall see invalid port or our Public ip address it forwards ARP flood asking the router where this ip address or this address with port
Palo Alto has default out to the Cisco Router and when we did packet capture 69% of was ARP flooding asking where is this

There are CLI arp commands that would be really useful to troubleshoot in this situation. There's still a lack of IP infrastructure in your network so I'm not certain but I'll make some assumptions up.

Your border router owns 192.168.20.0/24 and it's the .1...We'll call this VLAN 20.

Your FW has an interface in VLAN 20? This is either a single physical interface 1/14.20 or in an ae1.20. The FW has an IP in .20. The IP address here, is it a /32 or something different? If there's no mask described then /32 is implicit. If it is something other than a /32 and the FW doesn't own that network this is likely your problem.

When you say the FW is garping out looking for a host this is usually because the FW isn't on the same L2. So I'd check the masks between the 2 networks and make sure something isn't off. After this is confirmed get into the CLI and look at the ARP table of the firewall the FW should see the MAC of the neighbor it's looking for here, or there's a routing problem.