Firewall dropping HTTP only from specific source network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firewall dropping HTTP only from specific source network

L0 Member

Hello. I've come upon an extremely strange situation that I'm hoping to get some assistance on. I've already opened a case with Palo support, but they seem to be at a loss as well.

 

For one specific internal network, the edge Palo Alto is dropping HTTP (80) packets at the internal interface. Even more strange, it seems that packets are somehow changing to port 25 and the proceeding through proper packet filtering. But, because the destination (Internet) sites aren't hosting SMTP services, of course that traffic is being reset.

 

Troubleshooting wise, I've enabled packet capture/filtering and ran the command "show counter global filter packet-filter yes delta yes severity drop" and the one recurring error found is:  Packets dropped: forwarded to different zone

 

Unfortunately, no changes have been made recently to the routing table. All sessions have been cleared (restarted the firewall). I've been deleted some legacy zones to be sure they weren't causing issues. I've also tried enabling a zone protection profile and allowing asymmetric routing, but that didn't help either.

 

Using "test routing fib-lookup virtual-router "default router" ip <destIP>" shows that proper routing will be used. Using the same command and testing the return traffic routing also shows proper hops.

 

Last couple notes, if I change the routing to circumvent the firewall completely (using a separate ISP), HTTP traffic works properly. When going through the firewall, all other traffic works just fine. PING, Traceroutes, SSL, etc so I don't think it's anything to do with routing though the error seems to point that way. 

 

Any help would be much appreciated.

3 REPLIES 3

Cyber Elite
Cyber Elite

@mhill99,

That's an extremely odd thing to run into. Out of curiosity, have you verified that you don't have a specific NAT statement or PBF rule in place for this specific source network? That is the only thing that I can think of that could potentially be changing the source port like that if routing is working properly when you take the firewall out of the equation. 

L4 Transporter

Adding on to what BPry said, do you have a NAT Policy rule with a Translated Packet option "Translated Port" set to port 25? I.e. you created a policy to NAT traffic to/from your mail server and explicitly set the translated port option (perhaps not setting the Original Packet service), instead of allowing the original destination port to take precedence. 

Thanks, guys. Unfortunately, there is no PBF policy whatsoever and I've verified that outbound traffic is hitting the correct NAT policy for overload. No static translated port translation.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!