09-24-2024 10:39 AM
Cisco router is getting flooding from Palo Alto firewall
Source NAT is basic getting scan from outside random countries
We deal with users in other countries and blocking by countries will not work.
the ranges from outside to our public ip address
It looks like a scanning because it's rang of our public ip address
what can we do to stop it or protection
it looks like this but i'm using private as example but they are scanning our two /24 pubic ip address
192.168.20.1 port
192.168.20.3 port
192.168.20.5 port
192.168.20.16 port
Etc...
09-24-2024 10:52 AM
Traffic is like this?
Internet > Palo > Cisco router
Does Palo have NAT policy that this traffic matches?
Can you share it?
09-24-2024 12:50 PM - edited 09-24-2024 12:52 PM
it doesn't match with some ports or vaild ip address and Palo alto send the arp request who has the port or ip address to it
some people is doing random scanning to thos invaild ports and invaild ip address
we do have vaild ports and vaild but not all is used
09-24-2024 01:53 PM
@Jameslee20 wrote:
Cisco router is getting flooding from Palo Alto firewall
Source NAT is basic getting scan from outside random countries
We deal with users in other countries and blocking by countries will not work.
the ranges from outside to our public ip address
It looks like a scanning because it's rang of our public ip address
what can we do to stop it or protection
it looks like this but i'm using private as example but they are scanning our two /24 pubic ip address
192.168.20.1 port
192.168.20.3 port
192.168.20.5 port
192.168.20.16 port
Etc...
I want to clarify what you're saying is actually going on:
"Cisco router is getting flooding from Palo Alto firewall" ... "It looks like a scanning because it's rang of our public ip address"
What is your boundary architecture? ISP <--> Border Router <--> Palo FW ?? Is this how your edge is deployed?
If I described your boundary correct does your border router "own" your public IP space? When you say that the Palo is "flooding" your Cisco router, are you meaning that the downstream Palo is "arping" out for IPs that the border router owns? If all of what I described is true, then my suspicion is that the L3 interface object on your PA firewall is set as wrong mask. If the IP object is a /24 for instance, but the /24 is actually owned by the upstream router then the Palo will actually ARP out for all IPs in the /24. In this instance the IP object on the L3 interface of the Palo needs to just be a /32. Converting the IP object to a /32 will stop the upstream Cisco Border router from seeing the Palo flood it.
Hopefully this is getting at what you're seeing. If not please clarify.
09-24-2024 03:08 PM
ISP <--> Cisco Router <--> palo alto firewall
outside -- > cisco router than to Palo Alto Firewall
When firewall see invalid port or our Public ip address it forwards ARP flood asking the router where this ip address or this address with port
Palo Alto has default out to the Cisco Router and when we did packet capture 69% of was ARP flooding asking where is this
09-24-2024 03:12 PM
When we search for the public ip address for the Source NAT they were /32.
I mean i can double check we didn't see a /24 and saw /32 for source NAT
09-24-2024 03:17 PM
I'm trying to look for Port scanning protection from scanning from outside
Do know what is call or name of it
09-25-2024 05:27 AM
@Jameslee20 wrote:
ISP <--> Cisco Router <--> palo alto firewall
outside -- > cisco router than to Palo Alto Firewall
When firewall see invalid port or our Public ip address it forwards ARP flood asking the router where this ip address or this address with port
Palo Alto has default out to the Cisco Router and when we did packet capture 69% of was ARP flooding asking where is this
There are CLI arp commands that would be really useful to troubleshoot in this situation. There's still a lack of IP infrastructure in your network so I'm not certain but I'll make some assumptions up.
Your border router owns 192.168.20.0/24 and it's the .1...We'll call this VLAN 20.
Your FW has an interface in VLAN 20? This is either a single physical interface 1/14.20 or in an ae1.20. The FW has an IP in .20. The IP address here, is it a /32 or something different? If there's no mask described then /32 is implicit. If it is something other than a /32 and the FW doesn't own that network this is likely your problem.
When you say the FW is garping out looking for a host this is usually because the FW isn't on the same L2. So I'd check the masks between the 2 networks and make sure something isn't off. After this is confirmed get into the CLI and look at the ARP table of the firewall the FW should see the MAC of the neighbor it's looking for here, or there's a routing problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
