intra-interface (packets enter and exit same interface) ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

intra-interface (packets enter and exit same interface) ?

L3 Networker

This is a problem for other vendors (and something must be enabled/configured to allow this to occur).

Have not tried this in PANOS, but wondering if this just works or is it a similar scenario where you must enable something in PANOS ?

http://www.networkstraining.com/permitting-traffic-to-enter-and-exit-the-same-interface-same-securit...

2 accepted solutions

Accepted Solutions

@mpgioia The Palo Alto looks strictly at zones and not interfaces when it comes to security profiles. Same interface traffic is looked at the same as intrazone traffic. The only thing that you really have to do is to verify that your static routes and security policies are setup in a way that this actually functions.  

View solution in original post


TranceforLife wrote:

Hi,

 

If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.

If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:

 

https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-and-Interzone-...

 

Thx,

Myky 


that's incorrect, intrazone traffic has always been allowed. PAN-OS 6.1 just made the policies visible 🙂

 

Depending on what you're trying to accomplish, you may need U-turn NAT to force returning packets back to the firewall interface so sessions process both directions of the flow: How to Configure U-Turn NAT

 

other than that there's no restrictions in bouncing traffic back out of the same interface

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

L6 Presenter

Hi,

 

If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.

If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:

 

https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-and-Interzone-...

 

Thx,

Myky 

In other vendors.  ZONE and INTERFACE are two disinct things.

The INTRA-zone is not an issue, but INTRA-interface tends to be an issue and the capability to forward traffic (such that it INGRESSES and EGRESSES out the same interface) must be something explicitly enabled.  but INTRA-zone tends to just work.

 

So.. is this 2 x distinct different things in PANOS also like other vendors.. or is ZONE and INTERFACE almagamated into the same thing in their OS architecture based on your reply ?

Hi,

 

Cisco ASA is interface based firewall and work a bit in different way then zone based firewall (PA, Juniper SRX ect).

If we are talking about PA, every interface beloning to the zone (only one zone). So if you want to permit same zone trafic (lets say one inreface configured in the zone OUTSIDE) you have to have a policy in place 

@mpgioia The Palo Alto looks strictly at zones and not interfaces when it comes to security profiles. Same interface traffic is looked at the same as intrazone traffic. The only thing that you really have to do is to verify that your static routes and security policies are setup in a way that this actually functions.  

@BPry , @TranceforLife. Music to my ears. Thankyou.


TranceforLife wrote:

Hi,

 

If you are running PAN-OS 6.1 or above intrazone traffic permitted by default with intrazone-defult policy.

If you are running lower then 6.1 PAN-OS you ahve to create a policy to allow same zone traffic:

 

https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-and-Interzone-...

 

Thx,

Myky 


that's incorrect, intrazone traffic has always been allowed. PAN-OS 6.1 just made the policies visible 🙂

 

Depending on what you're trying to accomplish, you may need U-turn NAT to force returning packets back to the firewall interface so sessions process both directions of the flow: How to Configure U-Turn NAT

 

other than that there's no restrictions in bouncing traffic back out of the same interface

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper yes absolutely. Sorry my bad
  • 2 accepted solutions
  • 8219 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!