Most dynamic routing protocols have a multicast address that they communicate with in order to exchange routing parameters and networks. The common dynamic routing protocols used today and their multicast addresses are:
- BGP: None
- OSPF: 224.0.0.5 (AllSPFRouters) , 224.0.0.6 (AllDRRouters)
- RIP: 224.0.0.9
- EIGRP: 224.0.0.10 (Currently not supported on Palo Alto Networks firewalls)
- PIM: 224.0.0.13
Most routers, by default, including Palo Alto Networks firewalls, send out messages to respective multicast addresses from the control plane. The control plane traffic is not subject to policies defined for the data plane, which is where security policies operate on the firewall.
Explanation
As an example, a deny-any-any policy could be configured in the security rules and any of the dynamic protocols listed above that use multicast addresses for their operation would still form proper neighbor relationships with peering devices.
- BGP does not use a multicast address for communication. It communicates on TCP/179 by default and so it needs to be permitted by a security policy on the data plane for proper functioning.
- OSPF has a caveat. To form neighbor relationship, OSPF sends hello messages to the multicast address, However, to form full adjacency, OSPF neighbors could send database descriptor messages to each other using their respective unicast addresses. These unicast communications need to be permitted by a security policy.
Note: This means a security policy permitting application OSPF for the same zone is required if there is a deny-any-any rule at the bottom of the rule base. - RIP and PIM only communicate with their multicast addresses so no security policies are needed for their operation.
Other protocols on the Palo Alto Networks firewall:
- When the firewall is functioning as a DHCP server, the DHCPD service operates in the control plane, but depending on the ongoing DHCP transaction, a security policy might be needed.
- If a host comes up on the network for the first time and it is on the same LAN as the Palo Alto Networks firewall, that host uses broadcast messages to get a new IP address. This does not need a security policy to work.
- If the host has been up for a while and is trying to renew or release the IP address that it already has, those DHCP messages are sent using unicast addresses. These messages need to be permitted with a security policy.
- If the Palo Alto Networks firewall is a DHCP server, but its clients are not on the same LAN as it is, then most likely there is a DHCP relay in the network, converting the DHCP broadcasts to unicast messages. These unicast requests from the DHCP relay router in the network would need to be permitted by a security policy. The same applies if the firewall is a DHCP relay agent.
DNS, NTP, SNMP, GlobalProtect and other protocols on the firewall would all need to be permitted by security policies since they use Unicast addresses for their communication.
owner: tasonibare