This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Asynchronous Security Zones?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Asynchronous Security Zones?

ALSdburns
L1 Bithead

‎11-21-2023 12:30 PM

Is there an issue with asynchronous routing if the traffic passes through different security zones? We have our PAs setup with subinterfaces for our respective VLANs. So we have:

Eth1/3.10

Eth1/3.20

Eth1/3.30

Eth1/3.40

 

These subinterfaces connect to a trunk port on an Aruba 6300. The 6300 just has a default route configured which points to to the Palo Alto Eth1/3.10 IP address. That means Internet traffic leaving the 6300 will go through Eth1/3.10 but return traffic will go through the respective sub interface because of the connected route. This has never been an issue before when all subinterfaces were in the same security zone. I recently tried changing the security zone of Eth1/3.10 and after that change all subinterfaces except eth1/3.10 stopped connecting properly. The traffic fails despite nothing getting blocked. If I run a pcap I see the traffic leaving and returning as expected. The only error I am getting is if I 'run show counter global filter delta yes severity drop' it will have 'Packets dropped: forwarded to different zone' as one of the counters. 

 

Is there something wrong with this setup? We do not have any zone protection profile applied, and have tried even adding an allow all policy to ensure everything is allowed so I don't understand why the traffic is being dropped. Does the PA just not allow traffic to leave on one zone and return on another?

 

0 Likes Likes
2 REPLIES 2

rmfalconer
L5 Sessionator

‎11-21-2023 02:15 PM

There probably is an issue with asymmetry on zone traversal. If you look at session information, it shows c2s and s2c flows including the zones on each side. I would imagine the traffic needs to stick to these zones and not return through a different zone pair.

Why do you have subinterfaces for each vlan on the firewall? If you have a default on 10 on the core switch, why have subs for the other vlans? 

0 Likes Likes

ALSdburns
L1 Bithead
In response to rmfalconer

‎11-21-2023 02:40 PM

Thanks for the reply, I kind of figured that was what was going on but I can't find documentation to confirm. I have a support ticket open as well and they said the configuration is valid, but it seems like that must be incorrect. What I think it is and what you seem to be alluding to is that the return traffic has a session lookup, the session is found but has mismatched zones, and the packets are dropped. 

 

To be honest, it is mostly a holdover from the config before I started. Now we mostly keep it to stay uniform (some sites have gateway set to the PA instead of a core switch for various reasons). If we could get this configuration to work properly, we'd also filter inbound traffic to certain zones. Maybe we need to rethink it however. 

0 Likes Likes
  • 544 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks