PA-220 Strange IP Spoofing Behaviour

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-220 Strange IP Spoofing Behaviour

L1 Bithead

Hi,

My colleague and myself are complete Palo newbies so apologies as this is probably covered elsewhere but I don't know what to search for as I've never seen a firewall do this.  We bought a PA-220 for evaluation intending to possibly move away from Cisco.

My colleague configured it in a basic way and the box has completely disrupted the test subnet:

The outside interface was configured with an ip address in a subnet, let's call it X, i.e.

firewall ip = 192.168.X.146

subnet mask = 255.255.255.0

static route with next hop = 192.168.X.254

The PA-220 then sent out packets repeatedly spoofing every possible ip in the range, i.e. 192.168.X.1 to 192.168.X.254 so that everything else in that subnet became intermittently unavailable and of course when the PA-220 reached the router IP, .254 everything was affected - so we had an arp table on the router that looked like this:

 

Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.X.7 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.6 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.5 45 a08c.fdea.724b ARPA VlanX
Internet 192.168.X.4 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.3 2 40a8.f05f.a190 ARPA VlanX
Internet 192.168.X.2 10 f439.090a.9513 ARPA VlanX
Internet 192.168.X.1 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.15 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.14 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.13 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.12 10 f439.090a.940b ARPA VlanX
Internet 192.168.X.11 39 8cdc.d43a.7f9e ARPA VlanX
Internet 192.168.X.10 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.9 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.8 2 40a8.f045.e603 ARPA VlanX
Internet 192.168.X.23 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.22 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.21 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.20 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.19 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.18 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.17 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.16 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.31 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.30 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.29 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.28 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.27 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.26 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.25 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.24 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.39 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.38 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.37 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.36 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.35 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.34 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.33 81 34e5.ecb5.0b17 ARPA VlanX
Internet 192.168.X.32 81 34e5.ecb5.0b17 ARPA VlanX

 

 

The mac address of the PA-220 is 34e5.ecb5.0b17.

Just wondering if anyone could point us in the right direction regarding why our box did this.

Thanks,

Chris.

 

 

1 accepted solution

Accepted Solutions

Hi Batd2,

My colleague (who does exist, really) can't now remember exactly how he had configured the box as he was using the web gui.

But, I'd say your suggestion that the firewall sent out ARPs to claim every ip in the subnet sounds like the most likely cause so I'll accept this as the solution. Thanks very much for your help and the speedy response.

Best Regards,

Chris.

View solution in original post

4 REPLIES 4

L4 Transporter

@Chris-UNN This is can happen when you misconfigure NAT and put a mask to the NAT IP addresses. 

Hi Batd2,

Thanks for the reply. I know my colleague had overload NAT configured,

translation set to dynamic ip and port,

address type set to interface address,

interface set to outside ethernet (1/8)

ip address set to 192.168.X.146/24 --------- looks like this was the culprit...

But there was no PC at that time connected to the inside.

So it seems that the firewall understandably took 192.168.X.146/24 as a pool to use, but I still don't see why it sent out packets using every ip sequentially in that range when there was nothing on the inside trying to connect outwards.

Thanks again,

Chris.

 
 

 

@Chris-UNN Is it possible that your colleague configured it as "bi-directional" or Destination NAT? 

In this case, the firewall will use ARP to indicate to its neighbours that it owns the IPs and traffic can be sent to it.

Hi Batd2,

My colleague (who does exist, really) can't now remember exactly how he had configured the box as he was using the web gui.

But, I'd say your suggestion that the firewall sent out ARPs to claim every ip in the subnet sounds like the most likely cause so I'll accept this as the solution. Thanks very much for your help and the speedy response.

Best Regards,

Chris.

  • 1 accepted solution
  • 3405 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!