I think the title of my subject is explisite, I want to get Cisco Discovery Protocol (CDP) traffic through my palo alto, which is in virtual wire the problem is that frame cdp does not contain IP header so my the question is how to get it through a firewall.
I did catch the traffic levels I see the traffic coming into the firewall and I see it being simply droped
Solved! Go to Solution.
Check your Traffic Log. Which rule is denying the traffic?
Is this traffic moving between interfaces in the same zone?
Is it moving between two different zones? Do you have a policy defined to allow traffic between those zones?
You shouldn't need anything more than the proper security policy configuration for this to work.
The traffic has to pass between two interfaces in diffirents zone, you tell me that i have to make a polcie to allow CDP packets but CDP packets don't have any IP or TCP header how can i made a police to allow this type of traffic.
CDP is a multicast protocol. Have you enabled "multicast firewalling" on the vwire? That ought to allow the traffic. The PAN does not pass multicast traffic in its default configuration state.
I did some more reading on CDP and found this Cisco.com web page (http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml#cdp). It states, "CDP uses SNAP encapsulation with type code 2000".
Unfortunately, it looks like there is not a solution to your issue. The release notes for PAN-OS 3.1.9 and 4.0.4 both list a known issue, bug 908. It reads, " LLC SNAP/802.2 packets do not pass through the device". There are no plans to change this at this time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!