Failing close..

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Failing close..

L4 Transporter

I think Palo Alto refers to "Failing Close" as still allowing traffic through in the event of a failure.  And by default, I think the Palo Alto 4020 Fails OPEN.  Is there any way to set it to fail closed?

We are using our Palo Alto as more of a sensor/monitor, not so much as a Firewall.  We would like to put the Palo Alto inline with some parts of our network to make better use of it, but we're a little hesistant to because of the fact that if it fails, it will stop all traffic.

4 REPLIES 4

L3 Networker

Why not use two boxes in an HA-pair? If that isn't an option and you really would like to bypass security in the event of a failure you can buy equipment that fails open and add it to your configuration. Don't think they are that expensive either.

L0 Member

Hi,

as Oscar said, if you can't afford a second unit for HA, use an external bypass system.

PAN makes firewall (the most important security device in your network) and will never introduce (imho) a bypass feature in his devices. 🙂

L0 Member

There may still be some confusion on this topic so here is my 10c worth!

RE: Fail open/Fail closed - See page 33 of the "Designing Networks with Palo Alto Networks Firewalls Suggested Designs for Potential and Existing Customers" pdf (https://live.paloaltonetworks.com/docs/DOC-2561)

This is however the exact opposite to electronics and specifically relay terminology see: (fail-safe (fail-open, fail-close) - What is fail-safe (fail-open, fail-close)

Generally speaking the terminology within networking seems to be:

fail-open: in case of powerfailure (or during reboot or so) all data will be let through (if you do this on an IPS you cant really say it will work as an IPS, more like an IDS+ (when it works it will block bad traffic but when its dead it will let bad traffic to pass through).

fail-close: opposite of above meaning if no power then no packets will be let through. Same with during reboot etc. This is how a proper IPS should work or FW in my opinion.

fail-safe: this is a bit shaky but often a mix of the above. Cases can be like when running out of buffers then traffic should be let through until there are enough of free buffers available again. Another case can be if the internal CPU/FPGA/ASIC/Whatever resources pass a threshold lets say 95% utilization it will stop inspect any more packets (but let the pass through instead) until the usage drops. If you do this on an IPS I would call it an IDS+ rather than an IPS. The reallife result could be that regular bad traffic is stopped but if the attacker (if using a web-browser) press and hold ctrl+f5 for a few minutes then all bad traffic during this time frame will most likely bypass this unit.

When it comes to redundancy you can use etherchannel through a bunch of PA units which are running VWIRE (also to gain performance) as described in http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf

  • 5132 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!