Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted

Palo Alto in Virtual Wire mode : Traffic not passing throught internet perimeter Firewall

Dear All,

 

I'm doing POC at customer who use Checkpoint as Internet Firewall. So i deploy Palo Alto behind Checkpoint firewall in vwire mode. After We configure and install policy everything running well and to minimize the risk we configure permit all any any in the bottom of security policy. At the end of the PoC we try to disable the Permit all rule, but traffic not passing throught. Is there is any port or application or something i need to allow from palo alto? or there is spesific port from checkpoint i need to allow?

 

My rule style is like this:

- permit spesific plus security profile

- permit General plus security profile

- permit any any

 

 Topology:  Router----Checkpoint----Paloalto-----Switch

Tags (2)

Accepted Solutions
Highlighted
L7 Applicator

Gabriel,

 

Rules are only needed in the zone direction for which the traffic is initiated at the tcp level.  You do not need a matching reverse direction rule as the firewall is "stateful" and aware of the session traffic.

 

So web browsing (http/https) from trust to untrust only needs a permit rule from trust to untrust.  You do not need an untrust to trust rule for this to work.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post


All Replies
Highlighted
L2 Linker

Hi,

What does the traffic log say? Do you see the sessions? Are they allowed or denied?

Highlighted
L7 Applicator

Hi Gabriel

 

if you switch the permit any rule to a block any rule, you should see what is being blocked exactly. This can help you pinpoint any service that may need to pass though.

 

Can you verify in the traffic logs that the source and destination zones are correct? A common issue with vwire configuration is that trust and untrust get switched by accidentally switching the cables. If you then disable the any rule traffic will start getting blocked as it is flowing in the "wrong" direction.

 

 

hope this helps

Tom

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L4 Transporter

Hi Gabriel,

 

Please check  all licenses are activated or not. if yes than check the your network configuration.

 

Regards

Satish

Highlighted
L7 Applicator

Check the logs for the original permit rule and you will see what traffic is hitting this even before you turn it off or to block.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted

Because when i disable permit any any rule.. there is no log about that. I will try to make deny any any rule before i disable permit any any rule so i can get the log about that. Once more i wanna ask, do i need to permit rule from untrust to trust for spesific application or port like http/web browsing or https/sll, or something like that?

Highlighted
L7 Applicator

You can override last default inter zone rule and enable logging traffic that matches that rule.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L7 Applicator

Gabriel,

 

Rules are only needed in the zone direction for which the traffic is initiated at the tcp level.  You do not need a matching reverse direction rule as the firewall is "stateful" and aware of the session traffic.

 

So web browsing (http/https) from trust to untrust only needs a permit rule from trust to untrust.  You do not need an untrust to trust rule for this to work.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!