01-09-2017 01:49 AM
Hi,
I have some clients who are installing a NAT-Router behind the Firewall to span their own WIFI. The NAT devices are from different vendors with different MACs.
Has anyone an idea how to detect these NAT-devices irrespective of their MAC / IP-adress and how to deny all the traffic from these devices?
My intent is to block all traffic, where IP pakets have a different ttl than 128 / 64 but how can I solve this with palo alto.
Regards
Robert
01-09-2017 12:21 PM
Hello
Maybe this is solution for You (TTL=1) http://gregsowell.com/?p=2139
I know that You want to do on PANOS ... but IMHO it's impossible - correct me if I'm wrong.
Regards
SLawek
01-09-2017 01:39 PM
So someone is on your network and your network has a Palo Alto firewall at the border?
You have users that have deployed a router with NAT enabled and they have their own separate WiFi network?
Why not just block their NAT IP in your firewall? Or shut down the port on your network that their router is connected to? Or talk to them and tell them what they're doing violates your company's security policy?
Are they squatting on legiitimate IP space on your network or are they using some RFC 1918 space you don't use?
01-10-2017 01:31 AM
So someone is on your network and your network has a Palo Alto firewall at the border?
You have users that have deployed a router with NAT enabled and they have their own separate WiFi network?
Both yes
Why not just block their NAT IP in your firewall?
I don't know the NAT IP. It's dynamical. They bring their own huawei / draytek.....Router and connect them to an oben Network Port. Assigning a dhcp address. Then it works.
Or shut down the port on your network that their router is connected to?
I don't know the port. IT's dynamical....
Or talk to them and tell them what they're doing violates your company's security policy?
I did it always. But our CEO wants a technical solution.
01-10-2017 02:54 AM
If you can find the MAC address of the NAT router then you can put it in the deny list of your DHCP server and prevent it from getting an IP address. If your switches have a blacklist function you can add the MAC address to that also.
01-10-2017 06:52 AM
@robert.hoffmann If you have their NATed IP in your firewall find the MAC. Then you can trace your network and find the port they're connected to on your network and shut down the port.
The IP might be dynamic, but I doubt they're changing network ports at the same time. If they did then someone's definitely screwing with you.
01-10-2017 07:11 AM
@Brandon_Wertz pretty much gave you everything that you need to do, but I would add that your trying to fix a people problem with tech. If someone is doing this HR should really get involved or you should enable port security and limit the port on your switches to only allow 1 MAC address per port, possibly two if you are running a VOIP enviroment with passthrough.
01-21-2017 08:25 AM
Sounds like your CEO would be interested in implementing 802.1x port security solution. Check with your switch vendor that they can support 802.1x. If so, this is your best method to make sure only authorized devices connect to your physical ports.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
