Routing issue

Reply
Highlighted
Not applicable

Routing issue

Hi guys,

I have an issue I faced before with OpenBSD's PF Firewall but I am not able to solve with PAN.

My topology is:

INET ----- PAN ---- DMZ ---- Balancer ---- Balanced Servers

                 |

              LAN

The domain controllers for the DMZ domain are located in DMZ and their default gateway is PAN. The route to reach the balanced servers network is configured in PAN and I can reach the balanced servers network either from LAN and from DMZ. However, although I can ping from the domain controllers in the DMZ to the balanced servers and viceversa, I am facing some validations issues. These issues dissapear when I configure a static route on the domain controllers to reach the balanced servers directly through the balancer. I know it's weird to go through PAN to reach balanced servers from DMZ, but I don't like adding static routes to servers.

I could solve the problem with PF modifiying the stateful behaviour.

Any idea?

Highlighted
L4 Transporter

Re: Routing issue

It looks like the Palo Alto firewall is only seeing half of the flows from the DMZ servers to the Balanced Servers.  The initial packet from the DMZ server goes to the firewall, which then sends it through the Balancer.  When the Balanced Servers send the response back to the Balancer, they see the destination as a connected network, so instead of sending the traffic back to the firewall, it gets sent directly to the DMZ server.

This is a type of asymmetric route.  You can either put static routes on your servers, as you have done, or you can put more specific routes to those servers on the Balancer with a next hop of the firewall.  Another option would be to put another pair of firewall ports (L3 or Vwire) in front of the Balancer so you can fully inspect the traffic between the DMZ servers and the Balanced Servers.

Cheers,

Kelly

Highlighted
Not applicable

Re: Routing issue

This link contains helpful information to address the issue. https://live.paloaltonetworks.com/docs/DOC-1260

Disabling tcp-reject-non-syn solves the assymetric routing problem. However, I am not sure about the security implications it could have.

Thanks!

Highlighted
Not applicable

Re: Routing issue

Answered.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!