Bypassing "Packets dropped: forwarded to different zone" limitation

cancel
Showing results for 
Search instead for 
Did you mean: 

Bypassing "Packets dropped: forwarded to different zone" limitation

L3 Networker

Dear community!

 

I´d like to consult with you for a possible solution for this scenario:

We have 2 internet lines from two interfaces of the PAN firewall connected to two different routers. Each interface is in a different zone.


When incoming and returning packets follow different paths then we have an asymmetric routing condition. Situation similar to this one:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK

 

We configured the firewall to bypass the non-SYN-TCP check but we still have packets dropped with counter "Packets dropped: forwarded to different zone"

 

Having both external interfaces in the same zone fixes the issue but we´d like to have them in different zones.

 

A possible workaround could be using a PBF as in this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK
But this is also not an option because the return mac entries supported is not big enough for all the incoming sessions, meaning the firewall will drop new sessions when table is full.

 

+ Is there a workaround to bypass the "Packets dropped: forwarded to different zone" counter and allow the firewall to forward s2c traffic to a different zone?

 

Thank you!

5 REPLIES 5

Community Team Member

Hi @Carracido ,

 

I saw the same behavior with an A/A HA-setup.  Are you in the same setup ?

If so, have you considered changing the session setup options ?

 

For more info please check:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/session-setu...

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/session-owne...

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

Hi @kiwi,

 

Thank you for the answer.

No we don´t have A/A HA-setup so that wouln´t be a solution for our scenario.

 

Cheers! 

 

 

Cyber Elite
Cyber Elite

Hi @Carracido ,

You mentioned you have disabled the non-SYN TCP check, but did you set "assimetric path" to bypass?

Astardzhiev_0-1636548585230.png

Have you allowed assymetric path globally or per zone with zone protection profile?

 

I haven't faced a situation like this and I am working that is the actuall purpose of keeping the two ISP connection in different zones?

Hi @Astardzhiev ,

 

We tried allowing assymetric path both globally and per zone, still the same issue.

The purpose of keeping in different zones the two ISP connections is for having more granularity in the security policies.

 

Kind Regards.

Hi @Carracido ,

 

What are you gaining from this granularity? Does the benefits you will gain deserve adding such complexity?

Don't get wrong - as I said I haven't work with such setup and I am insteresed in the motives and are there any other acceptable solutions.

 

I was hoping for the asymetric pass to do the trick...It is very unlickly, but are you applying any IP spoofing protection with the zone-protection profile?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!