- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-28-2020 05:34 AM
Hi,
My colleague and myself are complete Palo newbies so apologies as this is probably covered elsewhere but I don't know what to search for as I've never seen a firewall do this. We bought a PA-220 for evaluation intending to possibly move away from Cisco.
My colleague configured it in a basic way and the box has completely disrupted the test subnet:
The outside interface was configured with an ip address in a subnet, let's call it X, i.e.
firewall ip = 192.168.X.146
subnet mask = 255.255.255.0
static route with next hop = 192.168.X.254
The PA-220 then sent out packets repeatedly spoofing every possible ip in the range, i.e. 192.168.X.1 to 192.168.X.254 so that everything else in that subnet became intermittently unavailable and of course when the PA-220 reached the router IP, .254 everything was affected - so we had an arp table on the router that looked like this:
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.X.7 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.6 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.5 45 a08c.fdea.724b ARPA VlanX
Internet 192.168.X.4 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.3 2 40a8.f05f.a190 ARPA VlanX
Internet 192.168.X.2 10 f439.090a.9513 ARPA VlanX
Internet 192.168.X.1 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.15 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.14 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.13 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.12 10 f439.090a.940b ARPA VlanX
Internet 192.168.X.11 39 8cdc.d43a.7f9e ARPA VlanX
Internet 192.168.X.10 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.9 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.8 2 40a8.f045.e603 ARPA VlanX
Internet 192.168.X.23 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.22 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.21 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.20 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.19 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.18 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.17 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.16 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.31 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.30 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.29 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.28 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.27 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.26 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.25 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.24 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.39 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.38 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.37 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.36 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.35 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.34 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.33 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.32 81 34e5.ecb5.0b17 ARPA VlanX
The mac address of the PA-220 is 34e5.ecb5.0b17.
Just wondering if anyone could point us in the right direction regarding why our box did this.
Thanks,
Chris.
03-02-2020 06:42 AM
Hi Batd2,
My colleague (who does exist, really) can't now remember exactly how he had configured the box as he was using the web gui.
But, I'd say your suggestion that the firewall sent out ARPs to claim every ip in the subnet sounds like the most likely cause so I'll accept this as the solution. Thanks very much for your help and the speedy response.
Best Regards,
Chris.
02-28-2020 07:06 AM
@Chris-UNN This is can happen when you misconfigure NAT and put a mask to the NAT IP addresses.
02-28-2020 07:43 AM
Hi Batd2,
Thanks for the reply. I know my colleague had overload NAT configured,
translation set to dynamic ip and port,
address type set to interface address,
interface set to outside ethernet (1/8)
ip address set to 192.168.X.146/24 --------- looks like this was the culprit...
But there was no PC at that time connected to the inside.
So it seems that the firewall understandably took 192.168.X.146/24 as a pool to use, but I still don't see why it sent out packets using every ip sequentially in that range when there was nothing on the inside trying to connect outwards.
Thanks again,
Chris.
02-28-2020 08:48 AM
@Chris-UNN Is it possible that your colleague configured it as "bi-directional" or Destination NAT?
In this case, the firewall will use ARP to indicate to its neighbours that it owns the IPs and traffic can be sent to it.
03-02-2020 06:42 AM
Hi Batd2,
My colleague (who does exist, really) can't now remember exactly how he had configured the box as he was using the web gui.
But, I'd say your suggestion that the firewall sent out ARPs to claim every ip in the subnet sounds like the most likely cause so I'll accept this as the solution. Thanks very much for your help and the speedy response.
Best Regards,
Chris.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!