This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Encrypted Traffic over the Palo Alto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Encrypted Traffic over the Palo Alto

tiwara
L3 Networker

‎08-21-2014 06:22 AM

We have site to site VPN (both side PA) in our network, I want to send some encrypted traffic over the tunnel , How the palo alto will decide the encrypted traffic not to be scanned (threats) and filtering rule also not applied for the those traffic. Please suggest.

0 Likes Likes
4 REPLIES 4

HULK
L7 Applicator

‎08-21-2014 08:05 AM

If you are asking for, how to skip layer-7 processing (threats) for that encrypted traffic, we may need to apply an application-override policy for that. Reference DOC: How to Create an Application Override Policy

PAN has an application signature for ESP traffic:

ipsec-esp-application..jpg

Thanks

0 Likes Likes

tshiv
L4 Transporter

‎08-21-2014 11:12 AM

If the PA firewall is just a pass through device for site-to-site VPN traffic, then we cannot subject it to threat scanning. But in your case since we are the end points for tunnel traffic, you can skip threat scanning by not configuring security profiles and attaching them to the security rules that allow inbound and outbound encrypted traffic over the tunnel. It is as simple as that. I am not sure about your question on filtering though. Can you elaborate please?

Thanks

0 Likes Likes

hshah
L6 Presenter

‎08-21-2014 12:10 PM

Hi Tiwara,

Lets say Networks has following topology.

Host---(Trust)PANW(VPN)----Tunnel----- Other End of Tunnel

1. Host send a Packet and it Hits Trust Zone of The Firewall.

2. There is a Policy Between Turst and VPN zone. If that policy has anti-virus, vulnerability, anti-spyware profile configured than Firewall will scan packet. If Policy doesnt have any profile, Firewall will not scan traffic.

3. Now After scan Packet Hits Tunnel and then sent accross the tunnel in Encrypted Format.

NOTE: Firewall do not inspect any kind of encrypted traffic like SSL/IPsec.

Lets say if Host send a packet with SSL header[means encrypted], than Firewall will not inspect it. Because firewall can not read content. [story is different is decryption is configured on firewall]

Lets say if firewall gets pass through traffic for IPsec, still it will not scan it. Because its encrypted and firewall can not read it.

Let me know if it helps.

Regards,

Hardik Shah

0 Likes Likes

tiwara
L3 Networker

‎08-26-2014 03:12 AM

Hello All,

Thanks for all you suggestions .

0 Likes Likes
  • 3472 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks