Inspection of traffic with PPPoE headers

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Inspection of traffic with PPPoE headers

L0 Member

I'm attempting to use a PA-440 in vwire mode to inspect traffic that is on the internet side of a broadband modem for security analysis. The traffic passes through the PA ok but non of the security policies seem to be triggered and no traffic logs are generated. Does anyone know if the Palo Alto firewall will inspect traffic that contains a PPPoE header?


I took a packet capture using the PA firewall and the flows look fine except for the PPP/PPPoE header. Wireshark decodes the applications correctly but not sure why the PA firewall doesn't generate any sessions or traffic logs.


I have a standard allow all rule in with logging enabled.


L0 Member

Security policy rules don’t apply to Layer 2 packets which might be the reason you don't see any live sessions or traffic logs. If you don't have defined any tags in the virtual wire object, untagged traffic is allowed without an explicit rule.


You should still be able to capture PPPoE packets tho. Is the filter configured to include non-IP traffic?

L0 Member

I don't actually need the policies to apply to the PPPoE header, but would like the firewall to be able to inspect the layer 3-7 data like it normally would on traffic without the PPPoE header. From what I've observed, when the PPPoE header is also included in the packet the firewall just ignores the rest of the data. I did think about tunnel inspection policies but these don't apply to PPPoE only GRE/VXLAN


There are no VLAN tags on this traffic but I've tested with and without tags defined on the vwire without success.


The capture filter did not include non-IP traffic. 

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!