Routing through same interface

Reply
santonic
L5 Sessionator

You can do packet capture in GUI with apropriate filters and look at what is cpatured in drop stage of processing.

 

You can also monitor global counters, but here you will just see counter increasing and not which packet was actually dropped.

 

From CLI:

show counter global name tcp_drop_packet

 

And if you want to turn off asymetric check on WHOLE PA appliance for all zones:

configure

set deviceconfig setting tcp asymmetric-path bypass

 

But if i understand correctly you already did that?

reaper
L7 Applicator

Please check out this article regarding packetcaptures :) Getting Started: Packet Capture

 

Please be very careful with the asymmetric-path configuration as it could open up unexpected avenues of attack : sessions bypassed this way will not be L4-L7 scanned by appID/contentID and could contain malicious payload you will not be able to identify, this setting is global so could also impact packets coming from untrusted networks.

 

For more information regarding the impact of the setting: Palo Alto Networks TCP Settings and Counters

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
myrdin
L2 Linker

thanks guys.

 

I thought about it and i came to the conclusion that the Palo is slow already as it is, if i even am to add a NAT to translate WITHIN the LAN every packet to another internal segment, it will catch fire.

 

I found an article that explains how to create a zone protection and i will apply on the trust zone only so to avoid enabling the bypass globally, and in the zone protection to avoid dropping traffic because of the syn sequential number problem

 

thanks to all pointing in the right direction

 

santonic
L5 Sessionator

Palo Alto is slow? You have obviously never tried firewalls from other manufacturers :)

reaper
L7 Applicator

also, any latency you might experience is purely the management plane, the dataplane has it's own set of cpu/memory/... and is quite fast

 

 

you can check available resources for both planes with these commands:

 

Dataplane
> show running resource-monitor

Managementplane
> show system resources

please consider going with the NAT option, I promise your firewall won't catch fire :)

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!