DotW: Intra-interface (packets enter and exit same interface)?
Resolution
In this week's Discussion of the Week (DotW), we're taking a closer look at an interesting question asked by Community member MicGioia:
One important factor to determine what kind of connections will work and which ones will not without manual intervention, is that the Palo Alto Networks firewalls are zone based. This means that traffic will be processed based on which source zone and destination zone incoming packets belong to.
Every firewall comes loaded with 2 implied security policies at the end of the rulebase (all security rules are processed top to bottom):
These rules are the intrazone-default and interzone-default.
These 2 policies will ensure any sessions from and to the same zone (e.g. trusted to trusted) are permitted through and any sessions from one zone to any other zone (e.g. trust to untrust) are blocked unless overruled by a prior policy in the security rules.
These default policies automatically allow the above question: will packets be allowed to egress the same interface they ingressed on?
A possible use-case is a remote network that is not directly connected to a firewall interface, but which must be reached through a locally connected router (e.g. an MPLS remote office) for which the local clients have no route.
However, for this type of workaround, it is advisable to create a U-Turn NAT policy so returning packets are also passed via the firewall interface. This ensures the firewall can inspect both directions of the flow: How to Configure U-Turn NAT
Interested in participating? Follow the original discussion here: intra-interface (packets enter and exit same interface) ?
As always, please feel free to leave any comments below, too!
Thanks!
reaper