topic Re: Traffic showing from wrong zone in General Topics

Traffic showing from wrong zone

Retired Member — Thu, 26 Apr 2018 14:53:16 GMT

Hello all, I have a (hopefully) simple problem I can't seem to figure out.

I have recently created a new DMZ zone on my PA for guest users, but when a guest tries to access the internet, the traffic is showing as sourcing from the trust zone instead of the DMZ zone. A trace from the guest user makes it to the PA, then dies. I have the policy from DMZ to untrust configured, but it never hits it, it's always using the trust to untrust policy.

I have a feeling I am missing something easy...

Any help will be much appreciated!

Re: Traffic showing from wrong zone

rmfalconer — Thu, 26 Apr 2018 15:09:42 GMT

Is the subnet with the guest traffic assigned to an interface on the PA? Is that interface set with the guest zone?

In the traffic log, what rule is it hitting?

Re: Traffic showing from wrong zone

Retired Member — Thu, 26 Apr 2018 15:21:02 GMT

Thanks for the quick reply rmfalconer!

Yes, the subinterface on the PA has a 172.16.0.251/21 assigned to it. The subinterface is assigned to the DMZ zone.

Mot sure if this matters, but the actual interface itself the subinterfaces belong to is assigned to the trust zone.

In the traffic log, it's hitting a trust zone to untrust zone policy, it shows it's sourcing from the subinterface assigned to the trust zone rather than the DMZ to untrust policy.

Re: Traffic showing from wrong zone

rmfalconer — Thu, 26 Apr 2018 15:25:52 GMT

Is the switchport connected to the PA a dot1q tagging interface?

Do you have the tag definition set correctly on the PA subinterface?

Re: Traffic showing from wrong zone

Mick_Ball — Thu, 26 Apr 2018 15:26:19 GMT

what is the ip/mask of the actual interface

Re: Traffic showing from wrong zone

Retired Member — Thu, 26 Apr 2018 15:30:35 GMT

The actual interface doesnt have an IP address assigned, the subinterface for the guest users has an IP of 172.16.0.251/21.

Re: Traffic showing from wrong zone

Retired Member — Thu, 26 Apr 2018 16:17:19 GMT

Yep, the switchport is configured and tagged correctly, and the tagging is set on the PA as well.

From a guest laptop, my trace hits the gateway (172.16.0.250) IP assigned to my gateway router, then the next hop is the 10.x.x.x trust IP on the PA.

From the PA, I can ping my guest laptop sourcing from the DMZ subinterface.

Re: Traffic showing from wrong zone

rmfalconer — Thu, 26 Apr 2018 16:31:46 GMT

Just trying to get a picture for the traffic flow.

How is the routing set on your gateway? Is there a default that points to the trust interface of the PA?

Is 172.16.0.250 a subinterface on the gateway router or a separate physical interface? Does this interface connect to the same switch where the PA connects?

Would the flow look something like this:

Client--[guest vlan]-->Switch1--[dot1q]-->Gateway--[dot1q]-->Switch1--[dot1q]-->PA

Re: Traffic showing from wrong zone

Retired Member — Thu, 26 Apr 2018 16:42:36 GMT

You are right, I have a layer 3 Brocade switch as my gateway router, it's default route is pointing to the trust subinterface on the PA.

The 172.16.0.250 is the IP of the VE on the gateway router.

Your flow looks correct, so the guest laptop on vlan 172, hits the ve172 on the gateway router, then takes the default route to the PA.

Re: Traffic showing from wrong zone

rmfalconer — Thu, 26 Apr 2018 17:00:04 GMT

Once the traffic hits that L3 boundary and routes with the default, it will lose the vlan tagging info so it won't get to the correct subinterface on the PA.

I think the easiest solution to this is to move the gateway for the guest vlan off the router and onto the PA. The PA can provide DHCP so the guest network would be self-contained, with the PA controlling all access.

Another option that might work is to move the guest vlan to a separate vrf on the router and control the next hop through the separate routing table.

Re: Traffic showing from wrong zone

Retired Member — Fri, 27 Apr 2018 12:22:45 GMT

Thanks for the info rmfalconer! I moved the gateway up to the PA and all is working well now.