https://live.paloaltonetworks.com/t5/general-topics/pa-firewall-can-t-properly-reassemble-fragmented-packets-if-the/m-p/197261#M58657 <P>Hi PA Expert,</P><P>&nbsp;</P><P>We have a network environment that have an <STRONG>asymmetric routing</STRONG> and <STRONG>fragmented traffics</STRONG>.</P><P>&nbsp;</P><P>Model: PA5060</P><P>PANOS: 8.0.6-h3</P><P>Method: vwire mode</P><P>No security profiles applied, no zone protection, no QOS, just single security policy that allow all.</P><P>&nbsp;</P><P>Already applied this setting to allow asymmetric:</P><P>&nbsp;</P><P>set deviceconfig setting session tcp-reject-non-syn no</P><P>set deviceconfig setting tcp asymmetric-path bypass</P><P>&nbsp;</P><P>All internet traffics are backhauled from this branch to HQ using 2 different ISP.</P><P>&nbsp;</P><P>ISP1: MTU 1500</P><P>ISP2: MTU 1380</P><P>&nbsp;</P><P>** we can't change (not allowed to change) MTU size on ISP2.</P><P>** also, we not allowed to change the network design.</P><P>&nbsp;</P><P>Since this is a fully-converged network (ospf) traffic will go to any ISP but the 'return route' from HQ will not follow the same way the traffic is originating.</P><P>HQ will load balance the traffic, so means that the traffic will go back to ISP1 or ISP2.</P><P>&nbsp;</P><P>When the traffic coming from ISP2 (mtu 1380), i know the traffic will be fragmented. But, when the 'fragmented packet' reached to Palo Alto, look like PA firewall can't properly reassemble the fragmented packets.</P><P>This will cause all TCP related traffic such as http can't load. The browser will keep loading. User complaining slowness issue.</P><P>But, when i bypass PA, all will back to normal.</P><P>&nbsp;</P><P>To prove that MTU size is the issue here, We have try to force HQ to set the 'return route' using ISP1 (mtu 1500) only.</P><P>The PA is still there (intercepting the traffic) and the results is.....no issue occurred.&nbsp; All webpage load successfully.</P><P>&nbsp;</P><P>So, the BIGGEST question is....yes we know the MTU size on ISP2 will cause packet to be fragmented.</P><P>There is no issue at all for all traffics.. No slowness issue. All application can load without issue.</P><P>But, why after intercepting with 'PALO ALTO FIREWALL'&nbsp; this issue will happen?</P><P>&nbsp;</P><P>Does this issue caused by this statement: ?</P><P>&nbsp;</P><DIV class="lia-message-body lia-component-body"><DIV class="lia-message-body-content"><P>Because H3 added new anti-packet-evasion techniques.</P><P>&nbsp;NSS labs discovered they could use certain fragmentation attacks to completely bypass the PAN IPS. So H3 was released which introduces protections against these which require symmetric traffic for the PAN to be able to reassemble the fragments.</P><DIV>&nbsp;</DIV><DIV>So, does that mean that there will be issue if trying to assemble packet in "Asymmetric" traffic?</DIV><DIV>&nbsp;</DIV><DIV>So, we need your advise how we can solve this issue? Any workaround or settings that must be done on PA to properly reassemble fragmented packets?</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>Thank You!</DIV></DIV></DIV><P>&nbsp;</P><P>&nbsp;</P> Sun, 28 Jan 2018 17:56:31 GMT azman_ansar 2018-01-28T17:56:31Z https://live.paloaltonetworks.com/t5/general-topics/pa-firewall-can-t-properly-reassemble-fragmented-packets-if-the/m-p/197261#M58657 <P>Hi PA Expert,</P><P>&nbsp;</P><P>We have a network environment that have an <STRONG>asymmetric routing</STRONG> and <STRONG>fragmented traffics</STRONG>.</P><P>&nbsp;</P><P>Model: PA5060</P><P>PANOS: 8.0.6-h3</P><P>Method: vwire mode</P><P>No security profiles applied, no zone protection, no QOS, just single security policy that allow all.</P><P>&nbsp;</P><P>Already applied this setting to allow asymmetric:</P><P>&nbsp;</P><P>set deviceconfig setting session tcp-reject-non-syn no</P><P>set deviceconfig setting tcp asymmetric-path bypass</P><P>&nbsp;</P><P>All internet traffics are backhauled from this branch to HQ using 2 different ISP.</P><P>&nbsp;</P><P>ISP1: MTU 1500</P><P>ISP2: MTU 1380</P><P>&nbsp;</P><P>** we can't change (not allowed to change) MTU size on ISP2.</P><P>** also, we not allowed to change the network design.</P><P>&nbsp;</P><P>Since this is a fully-converged network (ospf) traffic will go to any ISP but the 'return route' from HQ will not follow the same way the traffic is originating.</P><P>HQ will load balance the traffic, so means that the traffic will go back to ISP1 or ISP2.</P><P>&nbsp;</P><P>When the traffic coming from ISP2 (mtu 1380), i know the traffic will be fragmented. But, when the 'fragmented packet' reached to Palo Alto, look like PA firewall can't properly reassemble the fragmented packets.</P><P>This will cause all TCP related traffic such as http can't load. The browser will keep loading. User complaining slowness issue.</P><P>But, when i bypass PA, all will back to normal.</P><P>&nbsp;</P><P>To prove that MTU size is the issue here, We have try to force HQ to set the 'return route' using ISP1 (mtu 1500) only.</P><P>The PA is still there (intercepting the traffic) and the results is.....no issue occurred.&nbsp; All webpage load successfully.</P><P>&nbsp;</P><P>So, the BIGGEST question is....yes we know the MTU size on ISP2 will cause packet to be fragmented.</P><P>There is no issue at all for all traffics.. No slowness issue. All application can load without issue.</P><P>But, why after intercepting with 'PALO ALTO FIREWALL'&nbsp; this issue will happen?</P><P>&nbsp;</P><P>Does this issue caused by this statement: ?</P><P>&nbsp;</P><DIV class="lia-message-body lia-component-body"><DIV class="lia-message-body-content"><P>Because H3 added new anti-packet-evasion techniques.</P><P>&nbsp;NSS labs discovered they could use certain fragmentation attacks to completely bypass the PAN IPS. So H3 was released which introduces protections against these which require symmetric traffic for the PAN to be able to reassemble the fragments.</P><DIV>&nbsp;</DIV><DIV>So, does that mean that there will be issue if trying to assemble packet in "Asymmetric" traffic?</DIV><DIV>&nbsp;</DIV><DIV>So, we need your advise how we can solve this issue? Any workaround or settings that must be done on PA to properly reassemble fragmented packets?</DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>Thank You!</DIV></DIV></DIV><P>&nbsp;</P><P>&nbsp;</P> Sun, 28 Jan 2018 17:56:31 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-firewall-can-t-properly-reassemble-fragmented-packets-if-the/m-p/197261#M58657 azman_ansar 2018-01-28T17:56:31Z https://live.paloaltonetworks.com/t5/general-topics/pa-firewall-can-t-properly-reassemble-fragmented-packets-if-the/m-p/197323#M58663 <P>disabling protections and sanity checks should not be the route to take, as this will render yoiur firewall less effective:</P> <P>&nbsp;</P> <P>Do you happen to have a cluster? you could consider HA in Active/Active to tackle assymetry</P> <P>&nbsp;</P> <P>If you enable layer3 mode, you can also force the MTU to be lower for both links (by adjusting the mss header), this would prevent fragmentation:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Enabling 'Adjust TCP MSS' will inject a new mss header in the tcp packet, reducing MTU on the returning packets" style="width: 721px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13453iFCB47F50220849FF/image-size/large?v=v2&amp;px=999" role="button" title="mss.png" alt="Enabling 'Adjust TCP MSS' will inject a new mss header in the tcp packet, reducing MTU on the returning packets" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Enabling 'Adjust TCP MSS' will inject a new mss header in the tcp packet, reducing MTU on the returning packets</span></span></P> <P>also, if you're able to converge both links before they reach the firewall, you wouldn't have an assymetry issue either (you could aggregate both links into a single vwire)</P> Mon, 29 Jan 2018 09:25:35 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-firewall-can-t-properly-reassemble-fragmented-packets-if-the/m-p/197323#M58663 reaper 2018-01-29T09:25:35Z