topic Re: Packet Flow Query - FW Inspection in General Topics

Packet Flow Query - FW Inspection

RoutingWithJon — Mon, 21 Jun 2021 12:19:01 GMT

Hi Everyone,

I've been madly studying the Packet Flow Diagram that outlines the different checks/stages that a Packet goes through via a PA FW and I had a question with the 3rd check in the Ingress phase called 'FW Inspection applicable'. If Inspection is applicable then it carries into the IPSec/SSL VPN tunnel check but if Inspection is not applicable I see it go directly to the Forwarding/Egress stage.

I was hoping to understand what scenarios FW Inspection would be disabled thus triggering this type of path?

Re: Packet Flow Query - FW Inspection

S.Cantwell — Tue, 22 Jun 2021 14:59:05 GMT

Hello there

There are a few diagrams and training materials that detail the Packet Flow Logic. Can you share a screen share or snippet to ensure we are all discussing the same thing? I am aware of the flow logic, and after a packet ingress, it could hit IPSec/SSL VPN traffic or it goes slowpath or fast path. So either a VPN is found, or it is not, and we would continue analysis.

This is where I am getting confused. Just show/point out specifically where you have questions, and we will be glad to assist you.

Re: Packet Flow Query - FW Inspection

Remo — Tue, 22 Jun 2021 16:19:03 GMT

@RoutingWithJon is talking about this one here:

Available at https://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

Re: Packet Flow Query - FW Inspection

S.Cantwell — Tue, 22 Jun 2021 17:11:52 GMT

Thanks for that... yet I do not believe that document is 100% accurate (although it is hugely popular)

This is what happens at the ingress stage: Note, there is no bypassing slow/fastpath, as shown in the Day in a Life of a Packet.

I am only stating that a packet could be inbound towards the physical interface and we exam the packet to see if the DestAddr is behind the FW.

It is possible that arps/broadcasts would be seen by the FW, agreed, but the FW would not respond.

It is possible that intrazone traffic could be ingressed, be seen by the FW, and then egress from the same interface that the packet just ingressed from, I guess, that would bypass any FW processing, because there would not be any FW processing needed.

Re: Packet Flow Query - FW Inspection

Remo — Tue, 22 Jun 2021 18:13:30 GMT

With arp I agree (even though I don't know exactly). Maybe also routing protocol traffic is taking that path. But in both cases it wouldn't be as this path is showing. There definately is packet processing involved - simply not the same processing as "normal" traffix has to go through.

"Normal" traffic which arrives at an interface and has the same egress interface also is precessed / inspected by the firewall, so - as far as I know - there is no packet in and directly out for such traffic.

Maybe @jdelio or @reaper could add some more information here about what traffic is meant by this direct path between ingress and egress stage?

Re: Packet Flow Query - FW Inspection

RoutingWithJon — Fri, 25 Jun 2021 10:04:07 GMT

Hey Steve, Interesting to hear your thoughts on the "Day in the life of a packet" diagram. That diagram you included looks fairly clear around the absence of the "FW Inspection" Process.

Any chance you should share that diagram? I'm keen to take a look at it as it sounds more accurate than the "Day in the life" diagram.