topic Re: intra-interface (packets enter and exit same interface) ? in General Topics

intra-interface (packets enter and exit same interface) ?

mpgioia — Mon, 09 Jan 2017 12:57:40 GMT

This is a problem for other vendors (and something must be enabled/configured to allow this to occur).

Have not tried this in PANOS, but wondering if this just works or is it a similar scenario where you must enable something in PANOS ?

http://www.networkstraining.com/permitting-traffic-to-enter-and-exit-the-same-interface-same-security-traffic-permit/

Re: intra-interface (packets enter and exit same interface) ?

TranceforLife — Mon, 09 Jan 2017 13:02:17 GMT

Hi,

If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.

If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:

https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-and-Interzone-Rules/ta-p/57491

Thx,

Myky

Re: intra-interface (packets enter and exit same interface) ?

mpgioia — Mon, 09 Jan 2017 13:07:52 GMT

In other vendors. ZONE and INTERFACE are two disinct things.

The INTRA-zone is not an issue, but INTRA-interface tends to be an issue and the capability to forward traffic (such that it INGRESSES and EGRESSES out the same interface) must be something explicitly enabled. but INTRA-zone tends to just work.

So.. is this 2 x distinct different things in PANOS also like other vendors.. or is ZONE and INTERFACE almagamated into the same thing in their OS architecture based on your reply ?

Re: intra-interface (packets enter and exit same interface) ?

TranceforLife — Mon, 09 Jan 2017 13:14:31 GMT

Hi,

Cisco ASA is interface based firewall and work a bit in different way then zone based firewall (PA, Juniper SRX ect).

If we are talking about PA, every interface beloning to the zone (only one zone). So if you want to permit same zone trafic (lets say one inreface configured in the zone OUTSIDE) you have to have a policy in place

Re: intra-interface (packets enter and exit same interface) ?

BPry — Mon, 09 Jan 2017 13:53:06 GMT

@mpgioia The Palo Alto looks strictly at zones and not interfaces when it comes to security profiles. Same interface traffic is looked at the same as intrazone traffic. The only thing that you really have to do is to verify that your static routes and security policies are setup in a way that this actually functions.

Re: intra-interface (packets enter and exit same interface) ?

mpgioia — Mon, 09 Jan 2017 14:09:52 GMT

@BPry , @TranceforLife. Music to my ears. Thankyou.

Re: intra-interface (packets enter and exit same interface) ?

reaper — Mon, 09 Jan 2017 15:59:47 GMT

TranceforLife wrote:

Hi,

If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.

If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:

https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-and-Interzone-Rules/ta-p/57491

Thx,

Myky

that's incorrect, intrazone traffic has always been allowed. PAN-OS 6.1 just made the policies visible 🙂

Depending on what you're trying to accomplish, you may need U-turn NAT to force returning packets back to the firewall interface so sessions process both directions of the flow: How to Configure U-Turn NAT

other than that there's no restrictions in bouncing traffic back out of the same interface

Re: intra-interface (packets enter and exit same interface) ?

TranceforLife — Mon, 09 Jan 2017 23:34:41 GMT

@reaper yes absolutely. Sorry my bad