topic Re: PA-220 Strange IP Spoofing Behaviour in General Topics

PA-220 Strange IP Spoofing Behaviour

Chris-UNN — Fri, 28 Feb 2020 13:34:54 GMT

Hi,

My colleague and myself are complete Palo newbies so apologies as this is probably covered elsewhere but I don't know what to search for as I've never seen a firewall do this. We bought a PA-220 for evaluation intending to possibly move away from Cisco.

My colleague configured it in a basic way and the box has completely disrupted the test subnet:

The outside interface was configured with an ip address in a subnet, let's call it X, i.e.

firewall ip = 192.168.X.146

subnet mask = 255.255.255.0

static route with next hop = 192.168.X.254

The PA-220 then sent out packets repeatedly spoofing every possible ip in the range, i.e. 192.168.X.1 to 192.168.X.254 so that everything else in that subnet became intermittently unavailable and of course when the PA-220 reached the router IP, .254 everything was affected - so we had an arp table on the router that looked like this:

Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.X.7 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.6 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.5 45 a08c.fdea.724b ARPA VlanX
Internet 192.168.X.4 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.3 2 40a8.f05f.a190 ARPA VlanX
Internet 192.168.X.2 10 f439.090a.9513 ARPA VlanX
Internet 192.168.X.1 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.15 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.14 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.13 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.12 10 f439.090a.940b ARPA VlanX
Internet 192.168.X.11 39 8cdc.d43a.7f9e ARPA VlanX
Internet 192.168.X.10 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.9 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.8 2 40a8.f045.e603 ARPA VlanX
Internet 192.168.X.23 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.22 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.21 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.20 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.19 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.18 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.17 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.16 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.31 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.30 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.29 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.28 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.27 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.26 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.25 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.24 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.39 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.38 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.37 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.36 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.35 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.34 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.33 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.32 81 34e5.ecb5.0b17 ARPA VlanX

The mac address of the PA-220 is 34e5.ecb5.0b17.

Just wondering if anyone could point us in the right direction regarding why our box did this.

Thanks,

Chris.

Re: PA-220 Strange IP Spoofing Behaviour

batd2 — Fri, 28 Feb 2020 15:06:51 GMT

@Chris-UNN This is can happen when you misconfigure NAT and put a mask to the NAT IP addresses.

Re: PA-220 Strange IP Spoofing Behaviour

Chris-UNN — Fri, 28 Feb 2020 15:43:05 GMT

Hi Batd2,

Thanks for the reply. I know my colleague had overload NAT configured,

translation set to dynamic ip and port,

address type set to interface address,

interface set to outside ethernet (1/8)

ip address set to 192.168.X.146/24 --------- looks like this was the culprit...

But there was no PC at that time connected to the inside.

So it seems that the firewall understandably took 192.168.X.146/24 as a pool to use, but I still don't see why it sent out packets using every ip sequentially in that range when there was nothing on the inside trying to connect outwards.

Thanks again,

Chris.

Re: PA-220 Strange IP Spoofing Behaviour

batd2 — Fri, 28 Feb 2020 16:48:38 GMT

@Chris-UNN Is it possible that your colleague configured it as "bi-directional" or Destination NAT?

In this case, the firewall will use ARP to indicate to its neighbours that it owns the IPs and traffic can be sent to it.

Re: PA-220 Strange IP Spoofing Behaviour

Chris-UNN — Mon, 02 Mar 2020 14:42:49 GMT

Hi Batd2,

My colleague (who does exist, really) can't now remember exactly how he had configured the box as he was using the web gui.

But, I'd say your suggestion that the firewall sent out ARPs to claim every ip in the subnet sounds like the most likely cause so I'll accept this as the solution. Thanks very much for your help and the speedy response.

Best Regards,

Chris.