https://live.paloaltonetworks.com/t5/general-topics/gre-protocol-traffic/m-p/2544#M1896 <HTML><HEAD></HEAD><BODY><P>Hello to All, </P><P></P><P></P><P>I noticed some strange behavior regarding GRE protocol, and try to explain what exactly is strange:</P><P></P><P></P><P>Customer has unfortunate GRE VPN tunnel and in one policy "Public_ulaz_GRE" they stated to pass only GRE and NVGRE protocol respectively. (following picture)</P><P></P><P><IMG alt="gre_policy.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10356_gre_policy.jpg" style="width: 620px; height: 23px;" />&nbsp; </P><P>But, when you filter traffic by mentioned policy, you can see that beside legitimate, bunch of non-gre traffic are allowed by this policy!??</P><P></P><P><IMG alt="gre_filter.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10357_gre_filter.jpg" style="width: 620px; height: 253px;" /></P><P>Is someone have reasonable explanation for this behavior?</P><P></P><P></P><P>Regards,</P><P></P><P>Tician</P></BODY></HTML> Tue, 17 Dec 2013 11:49:29 GMT Tician 2013-12-17T11:49:29Z https://live.paloaltonetworks.com/t5/general-topics/gre-protocol-traffic/m-p/2544#M1896 <HTML><HEAD></HEAD><BODY><P>Hello to All, </P><P></P><P></P><P>I noticed some strange behavior regarding GRE protocol, and try to explain what exactly is strange:</P><P></P><P></P><P>Customer has unfortunate GRE VPN tunnel and in one policy "Public_ulaz_GRE" they stated to pass only GRE and NVGRE protocol respectively. (following picture)</P><P></P><P><IMG alt="gre_policy.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10356_gre_policy.jpg" style="width: 620px; height: 23px;" />&nbsp; </P><P>But, when you filter traffic by mentioned policy, you can see that beside legitimate, bunch of non-gre traffic are allowed by this policy!??</P><P></P><P><IMG alt="gre_filter.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10357_gre_filter.jpg" style="width: 620px; height: 253px;" /></P><P>Is someone have reasonable explanation for this behavior?</P><P></P><P></P><P>Regards,</P><P></P><P>Tician</P></BODY></HTML> Tue, 17 Dec 2013 11:49:29 GMT https://live.paloaltonetworks.com/t5/general-topics/gre-protocol-traffic/m-p/2544#M1896 Tician 2013-12-17T11:49:29Z https://live.paloaltonetworks.com/t5/general-topics/gre-protocol-traffic/m-p/2545#M1897 <HTML><HEAD></HEAD><BODY><P>Hello Tician,</P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Yes this is expected if <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">"Public_ulaz_GRE"</SPAN> lies at the top of your security rules .&nbsp; Before the 3-way handshake completes and the session's application is detected as incomplete/in-sufficient data, the security policy lookup for the session will match the first security policy which matches all attributes except application.&nbsp; Once the 3-way handshake completes and the firewall sees a data packet which can be used to identify the app the session will shift the application to the appropriate value and do another security policy lookup.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Because the application is not known, when the SYN packet is received, the application portion of the security policies can not be applied.&nbsp; As a result, the security policy lookup is performed against the 6 tuples of the session, source and destination IP and port, ingress interface (actually zone) and protocol.&nbsp; The first policy which matches these 6 tuples will be used to allow the SYN and any additional packets that traverse the firewall before the application is identified.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Hope that helps!</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Thanks and regards,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Kunal Adak<BR /></SPAN></P></BODY></HTML> Tue, 17 Dec 2013 17:22:43 GMT https://live.paloaltonetworks.com/t5/general-topics/gre-protocol-traffic/m-p/2545#M1897 kadak 2013-12-17T17:22:43Z https://live.paloaltonetworks.com/t5/general-topics/gre-protocol-traffic/m-p/2546#M1898 <HTML><HEAD></HEAD><BODY><P>Hello Kunal,</P><P></P><P>yes this is very helpful answer, thank you...</P></BODY></HTML> Tue, 17 Dec 2013 23:28:49 GMT https://live.paloaltonetworks.com/t5/general-topics/gre-protocol-traffic/m-p/2546#M1898 Tician 2013-12-17T23:28:49Z