01-15-2023 10:20 PM
Hi, how can I avoid internet traffic inspection from my PA. We already have a PA inspecting the internet traffic and we want to setup this particular PA for only inspecting the internal traffic.
TIA
01-16-2023 07:05 AM
Hi @arpitshrm84 ,
Your question is too broad and generic, are you able to provide some high-level diagram and brief explanation of your setup?
But in general, Palo Alto is applying (the so called) deep packet inspection, by specifying Security Profiles, for each traffic rule. Which means, that you can create traffic rule matching the traffic you don't want to inspect (source/destination addresses and ports) and just don't apply any Security Profiles for this traffic.
01-16-2023 06:11 PM
Hi, thank you very much for your response.
Let me explain a bit more in detail.
As of now, we have a branch office which is connected to the DC. So, the internet traffic is coming to the DC and going out through the Internet PA. now, we want to put another PA between branch office and DC which should inspect only the internal network (10.0.0.0/8) since the internet traffic will be anyway inspected by the internet PA.
Current Setup:
Branch Office —— DC—— Internet PA
Proposed Setup:
Branch Office — Internal PA— DC—— Internet PA
What is the best solution for this. Can application override achieve this?
TIA
01-16-2023 09:54 PM
By default Palo performs application identification.
You can add security profiles into security policy to enable IPS feature.
If you don't want IPS then don't add security profile into security policy.
If you want to see what threats pass by but don't want to block then create security profiles in alert mode to set traffic inspection into IDS mode instead of IPS.
Application override is generally bad practice as this will make Palo dumb router and it will only look first 4 layers and don't try to identify application at all.
01-16-2023 10:42 PM
Hi, many thanks for your response.
What about the throughput of the internal PA. If we put none in the security profile, will the PA process it as L4 or L7. With application override, it will be L4 for sure. We just want to see which PA is suitable for us considering the throughput required.
01-16-2023 10:48 PM
You can see throughput of different models by visiting following link
https://www.paloaltonetworks.com/products/product-selection
App-ID firewall throughput - security profile not set
Threat prevention throughput - security profiles configured
Security profile not set is layer 7 as firewall needs to identify application.
Application override is definitely layer 4 and you will loose all next generation firewall capabilities using it.
01-17-2023 10:18 PM
Hi, many thanks for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
