GRE traffic being dropped by PAN

Farzana — Tue, 18 Jul 2017 03:42:02 GMT

Hello,

An internal host is attempting to establish PPTP tunnel connection with an outside Internet host. The internal host accesses the Internet over NAT (actually PAT) on firewall's outside IP address. There was no issue with PPTP (TCP 1723) connection, but GRE (IP 47) packets from the remote host could not reach the internal host. Packet capture on the firewall shows GRE packets got dropped on "drop" stage, and cannot be seen on "transmit" or "firewall" stage captures.

On some firewalls there is a feature known as PPTP inspection, where the PPTP traffic will be inspected by the firewall, and based on the PPTP session info, incoming GRE traffic will be NATed and forwarded to the correct internal host. May I know if such feature is available on PAN firewall (software 6.1.6), or is there actually alternate configuration to achieve the same result?

Thanks in advance.

Re: GRE traffic being dropped by PAN

abjain — Tue, 18 Jul 2017 03:48:53 GMT

Hi,

I have tested this on 7.1 and 8.0. It works. Not exactly sure since then is this supported but in these versions firewall will open predict session for GRE traffic.

Best Regards

Re: GRE traffic being dropped by PAN

Farzana — Wed, 19 Jul 2017 00:41:24 GMT

Thank you for the confirmation. Closing the loop by mentioning that we set up 1-to-1 NAT and that solved the issue.

topic Re: GRE traffic being dropped by PAN in General Topics

GRE traffic being dropped by PAN

Re: GRE traffic being dropped by PAN

Re: GRE traffic being dropped by PAN