Encrypted Traffic over the Palo Alto

Reply
Highlighted
L3 Networker

Encrypted Traffic over the Palo Alto

We have site to site VPN (both side PA) in our network, I want to send some encrypted traffic over the tunnel , How the palo alto will decide the encrypted traffic not to be scanned (threats) and filtering rule also not applied for the those traffic. Please suggest.

Highlighted
L7 Applicator

Re: Encrypted Traffic over the Palo Alto

If you are asking for, how to skip layer-7 processing (threats) for that encrypted traffic, we may need to apply an application-override policy for that. Reference DOC: How to Create an Application Override Policy

PAN has an application signature for ESP traffic:

ipsec-esp-application..jpg

Thanks

Highlighted
L4 Transporter

Re: Encrypted Traffic over the Palo Alto

If the PA firewall is just a pass through device for site-to-site VPN traffic, then we cannot subject it to threat scanning. But in your case since we are the end points for tunnel traffic, you can skip threat scanning by not configuring security profiles and attaching them to the security rules that allow inbound and outbound encrypted traffic over the tunnel. It is as simple as that. I am not sure about your question on filtering though. Can you elaborate please?

Thanks

Highlighted
L6 Presenter

Re: Encrypted Traffic over the Palo Alto

Hi Tiwara,

Lets say Networks has following topology.

Host---(Trust)PANW(VPN)----Tunnel----- Other End of Tunnel

1. Host send a Packet and it Hits Trust Zone of The Firewall.

2. There is a Policy Between Turst and VPN zone. If that policy has anti-virus, vulnerability, anti-spyware profile configured than Firewall will scan packet. If Policy doesnt have any profile, Firewall will not scan traffic.

3. Now After scan Packet Hits Tunnel and then sent accross the tunnel in Encrypted Format.

NOTE: Firewall do not inspect any kind of encrypted traffic like SSL/IPsec.

Lets say if Host send a packet with SSL header[means encrypted], than Firewall will not inspect it. Because firewall can not read content. [story is different is decryption is configured on firewall]

Lets say if firewall gets pass through traffic for IPsec, still it will not scan it. Because its encrypted and firewall can not read it.

Let me know if it helps.

Regards,

Hardik Shah

Highlighted
L3 Networker

Re: Encrypted Traffic over the Palo Alto

Hello All,

Thanks for all you suggestions .

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!