GRE protocol traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GRE protocol traffic

L3 Networker

Hello to All,

I noticed some strange behavior regarding GRE protocol, and try to explain what exactly is strange:

Customer has unfortunate GRE VPN tunnel and in one policy "Public_ulaz_GRE" they stated to pass only GRE and NVGRE protocol respectively. (following picture)

gre_policy.jpg 

But, when you filter traffic by mentioned policy, you can see that beside legitimate, bunch of non-gre traffic are allowed by this policy!??

gre_filter.jpg

Is someone have reasonable explanation for this behavior?

Regards,

Tician

1 accepted solution

Accepted Solutions

L5 Sessionator

Hello Tician,

Yes this is expected if "Public_ulaz_GRE" lies at the top of your security rules .  Before the 3-way handshake completes and the session's application is detected as incomplete/in-sufficient data, the security policy lookup for the session will match the first security policy which matches all attributes except application.  Once the 3-way handshake completes and the firewall sees a data packet which can be used to identify the app the session will shift the application to the appropriate value and do another security policy lookup.


Because the application is not known, when the SYN packet is received, the application portion of the security policies can not be applied.  As a result, the security policy lookup is performed against the 6 tuples of the session, source and destination IP and port, ingress interface (actually zone) and protocol.  The first policy which matches these 6 tuples will be used to allow the SYN and any additional packets that traverse the firewall before the application is identified.


Hope that helps!



Thanks and regards,

Kunal Adak

View solution in original post

2 REPLIES 2

L5 Sessionator

Hello Tician,

Yes this is expected if "Public_ulaz_GRE" lies at the top of your security rules .  Before the 3-way handshake completes and the session's application is detected as incomplete/in-sufficient data, the security policy lookup for the session will match the first security policy which matches all attributes except application.  Once the 3-way handshake completes and the firewall sees a data packet which can be used to identify the app the session will shift the application to the appropriate value and do another security policy lookup.


Because the application is not known, when the SYN packet is received, the application portion of the security policies can not be applied.  As a result, the security policy lookup is performed against the 6 tuples of the session, source and destination IP and port, ingress interface (actually zone) and protocol.  The first policy which matches these 6 tuples will be used to allow the SYN and any additional packets that traverse the firewall before the application is identified.


Hope that helps!



Thanks and regards,

Kunal Adak

Hello Kunal,

yes this is very helpful answer, thank you...

  • 1 accepted solution
  • 5570 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!