External/Untrust IP's showing up as Internal/Trust

dennistobias — Sun, 12 Jul 2020 01:32:41 GMT

I am at a complete loss as to what I am seeing. I have PA-3250's running 9.1.2 code in L3 mode. The interfaces are split up into 2 aggregated ethernet interfaces, each using subinterfaces (ae1.706, ae1.707, ae2.699, ae2.698, etc.) When looking at traffic logs I see my interfaces assigned to ae1.706 and ae1.707 sourcing traffic from my trust zone when they are in an untrust zone. A pcap confirms that the traffic is indeed being sourced and it is coming in on ae2.699! How in the world does this work? I am losing my mind.

Re: External/Untrust IP's showing up as Internal/Trust

BPry — Sun, 12 Jul 2020 13:21:35 GMT

@dennistobias,

Was this working prior to the upgrade to 9.1.2 as expected, or is this something that you are just trying to configure now?

Just to verify exactly what you are talking about; in your traffic logs you are currently seeing traffic with an ingress interface of your ae2.699 interface when you should be seeing the ingress interface of ae1.706 and ae1.707? Is that correct?

Since the traffic is actually coming in on a completely different AE and a completely separate group of interfaces, I would want to take a PCAP on the switch side of things and verify that the switch is routing the traffic as it should. The firewall will accept any traffic that comes in on a zones assigned interfaces (one of the reasons we say never use 'any' in source/destination address) and accept and route the traffic according to your rulebase and routing statements. It really seems like something upstream is causing this issue if we're seeing the traffic ingress on an improper interface when you do the PCAP.

topic Re: External/Untrust IP's showing up as Internal/Trust in General Topics

External/Untrust IP's showing up as Internal/Trust

Re: External/Untrust IP's showing up as Internal/Trust