Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..

Reply
Highlighted
L1 Bithead

Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..


I came to know one thing about palo alto fitrewall that it does not take decision upon first packet, it takes decision after three way handshake.

While other firewalls take decision after first packet. What does it mean and how it is benefiical in terms of Palo alto firewalls?

Highlighted
L5 Sessionator

Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..

Depends how you configure rules.

Let's say you want to allow web browsing.

Option A: rule allows web-browsing on any port.

PA has to allow enough traffic on any destination port to make sure if the session is web-browsing before it can make a decision. So for TCP you can do 3-way handshake on any destination port and traffic will go through until PA notices it's not web-browsing session.

Option B: rule allows web-browsing only on application-default ports.

PA has to allow enough traffic on destination port 80 to make sure if the session is web-browsing before it can make a decision. Traffic on any other destination port will be dropped before it finishes 3 way handshake (already SYN packet will be dropped).



Highlighted
L3 Networker

Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..

Or Option C (like any other Firewall): Allow any Application on Port 80

PAN make the decision at the first TCP SYN Packet when Traffic comes on Port 80 and allow any Traffic on Port 80

;-)

..... yes i'm kidding sorry

L1 Bithead

Re: Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..

It makes it more of an art form than a science reading the logs, because now you have to weed out the entries that say the traffic was allowed, but the application is incomplete.  Since the firewall has to allow the traffic through until it can identify the application you get these somewhat confusing entries in the logs.

The users tend to blame the firewall for things not working and you can't really tell them "the firewall allowed it" since that's not the definitive entry, for it may or may not have blocked it further along in the conversation.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!