04-01-2019 03:13 AM - edited 04-01-2019 03:35 AM
Hi Im new to working with Palo Alto, and I im process of configuring a new Pa-820, I wanted a lttle infomation and help.
1) Do you have to create a return rule if you want the return traffic back from the destination back to your source address. Or will the firewall just allow the traffic if it recived the first packet from the source address.
I wanted to know in the case of the rules below woul i need to also create the seccounf rule below from the server back to the client or will the firewall just allow the return traffic with out the rule.
| Name | Source | Destination | Application | Service | action | ||
| Zone | address | Zone | address | ||||
| Client to Server-DNS | Vwire-1 | 192.168.1.2 | Vwire-2 | 192.168.0.2 | dns | UDP 67-68 | Alow |
| Server to Client-DNS | Vwire-2 | 192.168.0.2 | Vwire-1 | 192.168.1.2 | dns | UDP 67-68 | Alow |
Also is the rules hit from the top down.
Thanks in Advance
04-01-2019 04:04 AM
Hi @kev91234 ,
As with statefull firewalls, if the return traffic is a response to the same session then you won't need the 2nd rule. The firewall keeps track of the state of network connections and will allow return traffic.
However, if both ends are going to initiate traffic then you will have to allow both ways.
Yes, rules are processed top down.
Cheers !
-Kiwi.
04-01-2019 05:14 AM - edited 04-01-2019 05:16 AM
@kiwi wrote:Hi @kev91234 ,
As with statefull firewalls, if the return traffic is a response to the same session then you won't need the 2nd rule. The firewall keeps track of the state of network connections and will allow return traffic.
However, if both ends are going to initiate traffic then you will have to allow both ways.
Yes, rules are processed top down.
Cheers !
-Kiwi.
Thank you Kiwi.I also have another strange issue which is why i asked the questions above before.
The firewall is configure with 8 vwire interfaces with each interface being on a diffrent zone. 4 on the inside and 4 on the outside of the firewall.
It was put in place to capture and monitor the traffic before we put in the new rules. So There are 8 rules all set to allow any traffice as below when i now add the new rules above these 8 rules some rules get hit and some don't like the client to server rule gets hit but the server to client rule don't. but the traffic is shown as hitting one of the other allow any any vwire rules below instead.
| Type |
| Destination | Application | Service | action | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Zone | address | Zone | address | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Interzone | Vwire-2 | 192.168.0.2 | Vwire-1 | 192.168.1.2 | dns | UDP 67-68 | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
|
| Vwire-2 | 192.168.1.2 | Vwire-1 | 192.168.0.2 |
| UDP 67-68 | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-1 to Vwire 5 |
| Vwire-1 | any | Vwire-5 | any | any | any | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-2 to Vwire 6 | Universal | Vwire-2 | any | Vwire-6 | any | any | any | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-3 to Vwire 7 | Universal | Vwire-3 | any | Vwire-7 | any | any | any | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-4 to Vwire 8 | Universal | Vwire-4 | any | Vwire-8 | any | any | any | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-5 to Vwire 1 | Universal | Vwire-5 | any | Vwire-1 | any | any | any | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-6 to Vwire 2 | Universal | Vwire-6 | any | Vwire-2 | any | any | any | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-7 to Vwire 3 | Universal | Vwire-7 | any | Vwire-3 | any | any | any | Alow | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Vwire-8 to Vwire 4 | Universal | Vwire-8 | any | Vwire-4 | any | any | any | Alow |
04-01-2019 06:47 AM
Virtual wire is like a tube. Everything that goes in from one side comes out from other (unless blocked by policy).
In initial post you asked policy between vwire zone 1 and 2.
Later showed rules between 1 and 5.
You can't have traffic entering into one virtual wire and exiting from other.
Virtual wires are configured at Network > Virtual Wires
There you see what interfaces are in same vwire.
04-01-2019 07:40 AM
@Raido_Rattameister wrote:Virtual wire is like a tube. Everything that goes in from one side comes out from other (unless blocked by policy).
In initial post you asked policy between vwire zone 1 and 2.
Later showed rules between 1 and 5.
You can't have traffic entering into one virtual wire and exiting from other.
Virtual wires are configured at Network > Virtual Wires
There you see what interfaces are in same vwire.
Hi Raido, you are correct i made a typo error on my example in the post above it should be from Vwire 1 to Vwire 5. With this the secound rule is never hit.
04-01-2019 07:45 AM
Top rule permits traffic from vwire 1 to vwire 5. This rule also by default permits return traffic.
So if clients are in vwire 1 zone and database in vwire 5 then clients intiate connection and database replies are automatically permitted by same rule.
If on the other hand any traffic would be initiated from vwire 5 zone then second rule would match.
By initiator I mean the side that sends SYN packet (in case of TCP).
04-01-2019 08:27 AM - edited 04-01-2019 08:28 AM
@Raido_Rattameister wrote:Top rule permits traffic from vwire 1 to vwire 5. This rule also by default permits return traffic.
So if clients are in vwire 1 zone and database in vwire 5 then clients intiate connection and database replies are automatically permitted by same rule.
If on the other hand any traffic would be initiated from vwire 5 zone then second rule would match.
By initiator I mean the side that sends SYN packet (in case of TCP).
Hi Raido,
That makes perfect sense but i noticed that the rule (Client to Server-DNS) gets hit for traffic on dst port 53 to the server.
Then i get Traffic coming back from the server to the client with a src port of 53 and the same dst port as the src port from the client, but this is shown as hitting Rule (Vwire-5 to Vwire 1) This is confusing me as to why??
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
