Palo Alto firewall dual homed devices between two security zones

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto firewall dual homed devices between two security zones

L1 Bithead

Is it possible to detect dual homed hosts connected to two or more security zones at the same time.

3 REPLIES 3

L0 Member

you'll have many 'incomplete' sessions in one zone , and many non-syn-tcp in the other zone for incoming connections

outgoing you will not notice as the host will likely 'stick' to one interface for all/some of it's sessions. 

only if the dual-homed system is set up as a gateway/router/... to pass along packets, you may see unexpected IP addresses in either zone. this can be addressed by enabling anti spoofing in a zone protection profile 

 

L7 Applicator

Hi @JacobHusted 

Depending on the routing configured on these hosts there is no way to detect these hosts. Unlike what @Thyrion wrote, it does not need to be the case that you will see a lot of incomplete sessions or sessions with wrong source IPs in the wrong zones so if these hosts are configured correctly then also the anti spoofing feature does not help to prevent such connections.

So the best way probably to resolve these issues is to find out how it is possible for these hosts to simultanously connect to multiple networks behind your firewall and then try to implement preventions to eliminate this possibility for the users. If this still need to be possible for at least some computers, make sure you secure the network as good as possible from both security zones 😉

@Remo incoming connections on one interface of the dual-homed system will be replied to via the default route (with the lowest metric) on the host. one interface will handle incoming connections properly, while the other will send replies out of the 'wrong' interface.

 

this is just a single potential way to find dual homed hosts, and not a necessity

  • 3002 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!