This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Inspection of traffic with PPPoE headers

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Inspection of traffic with PPPoE headers

Daniel_Bloom
L0 Member

‎09-01-2022 07:08 PM

I'm attempting to use a PA-440 in vwire mode to inspect traffic that is on the internet side of a broadband modem for security analysis. The traffic passes through the PA ok but non of the security policies seem to be triggered and no traffic logs are generated. Does anyone know if the Palo Alto firewall will inspect traffic that contains a PPPoE header?

 

I took a packet capture using the PA firewall and the flows look fine except for the PPP/PPPoE header. Wireshark decodes the applications correctly but not sure why the PA firewall doesn't generate any sessions or traffic logs.

 

I have a standard allow all rule in with logging enabled.

0 Likes Likes
2 REPLIES 2

Neubauer
L0 Member

‎09-05-2022 02:05 AM

Security policy rules don’t apply to Layer 2 packets which might be the reason you don't see any live sessions or traffic logs. If you don't have defined any tags in the virtual wire object, untagged traffic is allowed without an explicit rule.

 

You should still be able to capture PPPoE packets tho. Is the filter configured to include non-IP traffic?

0 Likes Likes

Daniel_Bloom
L0 Member

‎09-05-2022 04:35 PM

I don't actually need the policies to apply to the PPPoE header, but would like the firewall to be able to inspect the layer 3-7 data like it normally would on traffic without the PPPoE header. From what I've observed, when the PPPoE header is also included in the packet the firewall just ignores the rest of the data. I did think about tunnel inspection policies but these don't apply to PPPoE only GRE/VXLAN

 

There are no VLAN tags on this traffic but I've tested with and without tags defined on the vwire without success.

 

The capture filter did not include non-IP traffic. 

0 Likes Likes
  • 1481 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks