New Comer

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Comer

L1 Bithead

Hi Im new to working with Palo Alto, and I im process of configuring a new Pa-820, I wanted a lttle infomation and help. 

 

1) Do you have to create a return rule if you want the return traffic back from the destination back to your source address. Or will the firewall just allow the traffic if it recived the first packet from the source address.

 

I wanted to know in the case of the rules below woul i need to also create the seccounf rule below from the server back to the client or will the firewall just allow the return traffic with out the rule.

 

NameSource Destination  ApplicationServiceaction
 ZoneaddressZoneaddress   
Client to Server-DNSVwire-1 192.168.1.2Vwire-2192.168.0.2dnsUDP 67-68Alow
Server to Client-DNSVwire-2192.168.0.2Vwire-1192.168.1.2dnsUDP 67-68Alow

 

Also is the rules hit from the top down.

 

 

Thanks in Advance

 

 

6 REPLIES 6

Community Team Member

Hi @kev91234 ,

 

As with statefull firewalls, if the return traffic is a response to the same session then you won't need the 2nd rule.  The firewall keeps track of the state of network connections and will allow return traffic.

 

However, if both ends are going to initiate traffic then you will have to allow both ways.

 

Yes, rules are processed top down.

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.


@kiwi wrote:

Hi @kev91234 ,

 

As with statefull firewalls, if the return traffic is a response to the same session then you won't need the 2nd rule.  The firewall keeps track of the state of network connections and will allow return traffic.

 

However, if both ends are going to initiate traffic then you will have to allow both ways.

 

Yes, rules are processed top down.

 

Cheers !

-Kiwi.

 
Thank you Kiwi.
I also have another strange issue which is why i asked the questions above before.

The firewall is configure with 8 vwire interfaces with each interface being on a diffrent zone. 4 on the inside and 4 on the outside of the firewall.

 

It was put in place to capture and monitor the traffic before we put in the new rules. So There are 8 rules all set to allow any traffice as below when i now add the new rules above these 8 rules some rules get hit and some don't like the client to server rule gets hit but the server to client rule don't. but the traffic is shown as hitting one of the other allow any any vwire rules below instead.

 

 

 

 

 

            
            
Name
Type
Source
 Destination  ApplicationServiceaction
  ZoneaddressZoneaddress   
            
            
Client to Server-DNS
Interzone

Vwire-2

192.168.0.2Vwire-1192.168.1.2dnsUDP 67-68Alow
            
            
Server to Client-DNS
            
            
interzone

Vwire-2

192.168.1.2Vwire-1192.168.0.2
dns
UDP 67-68Alow
Vwire-1 to Vwire 5
            
            
Universal
Vwire-1 anyVwire-5anyanyanyAlow
Vwire-2 to Vwire 6UniversalVwire-2anyVwire-6anyanyanyAlow
Vwire-3 to Vwire 7UniversalVwire-3anyVwire-7anyanyanyAlow
Vwire-4 to Vwire 8UniversalVwire-4 anyVwire-8anyanyanyAlow
Vwire-5 to Vwire 1UniversalVwire-5anyVwire-1anyanyanyAlow
Vwire-6 to Vwire 2UniversalVwire-6anyVwire-2anyanyanyAlow
Vwire-7 to Vwire 3UniversalVwire-7anyVwire-3anyanyanyAlow
Vwire-8 to Vwire 4UniversalVwire-8anyVwire-4anyanyanyAlow

Virtual wire is like a tube. Everything that goes in from one side comes out from other (unless blocked by policy).

 

In initial post you asked policy between vwire zone 1 and 2.

Later showed rules between 1 and 5.

You can't have traffic entering into one virtual wire and exiting from other.

 

Virtual wires are configured at Network > Virtual Wires

There you see what interfaces are in same vwire.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011


@Raido_Rattameister wrote:

Virtual wire is like a tube. Everything that goes in from one side comes out from other (unless blocked by policy).

 

In initial post you asked policy between vwire zone 1 and 2.

Later showed rules between 1 and 5.

You can't have traffic entering into one virtual wire and exiting from other.

 

Virtual wires are configured at Network > Virtual Wires

There you see what interfaces are in same vwire.


Hi Raido, you are correct i made a typo error on my example in the post above it should be from Vwire 1 to Vwire 5. With this the secound rule is never hit.

Top rule permits traffic from vwire 1 to vwire 5. This rule also by default permits return traffic.

So if clients are in vwire 1 zone and database in vwire 5 then clients intiate connection and database replies are automatically permitted by same rule.

 

If on the other hand any traffic would be initiated from vwire 5 zone then second rule would match.

 

By initiator I mean the side that sends SYN packet (in case of TCP).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011


@Raido_Rattameister wrote:

Top rule permits traffic from vwire 1 to vwire 5. This rule also by default permits return traffic.

So if clients are in vwire 1 zone and database in vwire 5 then clients intiate connection and database replies are automatically permitted by same rule.

 

If on the other hand any traffic would be initiated from vwire 5 zone then second rule would match.

 

By initiator I mean the side that sends SYN packet (in case of TCP).


Hi Raido,

 

That makes perfect sense but i noticed that the rule (Client to Server-DNS) gets hit for traffic on dst port 53 to the server.

 

Then i get Traffic coming back from the server to the client with a src port of 53  and the same dst port as the src port from the client, but this is shown as hitting Rule (Vwire-5 to Vwire 1) This is confusing me as to why??

  • 4431 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!