Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo alto fitrewall that it does not take decision upon first packet while other firewalls take..

L2 Linker


I came to know one thing about palo alto fitrewall that it does not take decision upon first packet, it takes decision after three way handshake.

While other firewalls take decision after first packet. What does it mean and how it is benefiical in terms of Palo alto firewalls?

3 REPLIES 3

L6 Presenter

Depends how you configure rules.

Let's say you want to allow web browsing.

Option A: rule allows web-browsing on any port.

PA has to allow enough traffic on any destination port to make sure if the session is web-browsing before it can make a decision. So for TCP you can do 3-way handshake on any destination port and traffic will go through until PA notices it's not web-browsing session.

Option B: rule allows web-browsing only on application-default ports.

PA has to allow enough traffic on destination port 80 to make sure if the session is web-browsing before it can make a decision. Traffic on any other destination port will be dropped before it finishes 3 way handshake (already SYN packet will be dropped).



Or Option C (like any other Firewall): Allow any Application on Port 80

PAN make the decision at the first TCP SYN Packet when Traffic comes on Port 80 and allow any Traffic on Port 80

😉

..... yes i'm kidding sorry

L1 Bithead

It makes it more of an art form than a science reading the logs, because now you have to weed out the entries that say the traffic was allowed, but the application is incomplete.  Since the firewall has to allow the traffic through until it can identify the application you get these somewhat confusing entries in the logs.

The users tend to blame the firewall for things not working and you can't really tell them "the firewall allowed it" since that's not the definitive entry, for it may or may not have blocked it further along in the conversation.

  • 2450 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!