I'm attempting to use a PA-440 in vwire mode to inspect traffic that is on the internet side of a broadband modem for security analysis. The traffic passes through the PA ok but non of the security policies seem to be triggered and no traffic logs are generated. Does anyone know if the Palo Alto firewall will inspect traffic that contains a PPPoE header?
I took a packet capture using the PA firewall and the flows look fine except for the PPP/PPPoE header. Wireshark decodes the applications correctly but not sure why the PA firewall doesn't generate any sessions or traffic logs.
I have a standard allow all rule in with logging enabled.
Security policy rules don’t apply to Layer 2 packets which might be the reason you don't see any live sessions or traffic logs. If you don't have defined any tags in the virtual wire object, untagged traffic is allowed without an explicit rule.
You should still be able to capture PPPoE packets tho. Is the filter configured to include non-IP traffic?
I don't actually need the policies to apply to the PPPoE header, but would like the firewall to be able to inspect the layer 3-7 data like it normally would on traffic without the PPPoE header. From what I've observed, when the PPPoE header is also included in the packet the firewall just ignores the rest of the data. I did think about tunnel inspection policies but these don't apply to PPPoE only GRE/VXLAN
There are no VLAN tags on this traffic but I've tested with and without tags defined on the vwire without success.
The capture filter did not include non-IP traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!