Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

Dear All,

 

I'm doing POC at customer who use Checkpoint as Internet Firewall. So i deploy Palo Alto behind Checkpoint firewall in vwire mode. After We configure and install policy everything running well and to minimize the risk we configure permit all any any in the bottom of security policy. At the end of the PoC we try to disable the Permit all rule, but traffic not passing throught. Is there is any port or application or something i need to allow from palo alto? or there is spesific port from checkpoint i need to allow?

 

My rule style is like this:

- permit spesific plus security profile

- permit General plus security profile

- permit any any

 

 Topology:  Router----Checkpoint----Paloalto-----Switch

1 accepted solution

Accepted Solutions

Gabriel,

 

Rules are only needed in the zone direction for which the traffic is initiated at the tcp level.  You do not need a matching reverse direction rule as the firewall is "stateful" and aware of the session traffic.

 

So web browsing (http/https) from trust to untrust only needs a permit rule from trust to untrust.  You do not need an untrust to trust rule for this to work.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

7 REPLIES 7

L2 Linker

Hi,

What does the traffic log say? Do you see the sessions? Are they allowed or denied?

Cyber Elite
Cyber Elite

Hi Gabriel

 

if you switch the permit any rule to a block any rule, you should see what is being blocked exactly. This can help you pinpoint any service that may need to pass though.

 

Can you verify in the traffic logs that the source and destination zones are correct? A common issue with vwire configuration is that trust and untrust get switched by accidentally switching the cables. If you then disable the any rule traffic will start getting blocked as it is flowing in the "wrong" direction.

 

 

hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

Hi Gabriel,

 

Please check  all licenses are activated or not. if yes than check the your network configuration.

 

Regards

Satish

Check the logs for the original permit rule and you will see what traffic is hitting this even before you turn it off or to block.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Because when i disable permit any any rule.. there is no log about that. I will try to make deny any any rule before i disable permit any any rule so i can get the log about that. Once more i wanna ask, do i need to permit rule from untrust to trust for spesific application or port like http/web browsing or https/sll, or something like that?

You can override last default inter zone rule and enable logging traffic that matches that rule.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Gabriel,

 

Rules are only needed in the zone direction for which the traffic is initiated at the tcp level.  You do not need a matching reverse direction rule as the firewall is "stateful" and aware of the session traffic.

 

So web browsing (http/https) from trust to untrust only needs a permit rule from trust to untrust.  You do not need an untrust to trust rule for this to work.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 8604 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!