Statefull or not statefull

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Statefull or not statefull

L1 Bithead

We recently purchase pa3020s for mainly application control reason and put them behind cisco ASAs.   I set up trust-to -untrust policy which applies to outbound internet traffic. I denied unwanted apps and allowed rest using user group mapping.   that is all working fine and users can access internet with no problem..

well,  last week, I tried to do  the same to default untrust-to-trust policy to the Inbound traffic.  I created a policy that  allowed the DMZ and  remote VPN traffic coming through the ASA and I changed the default untrust -to-trust policy from allow to deny. The result was internet access stopped. No one could access Internet and I had to back the change out.

My thinking was that this a state full firewall and for any outbound traffic,  the return traffic should pass through if it matches a established session.    is this not right with PA firewall? do they do statefull inspection or not?

thank you

13 REPLIES 13

L6 Presenter

Hi,

Palo Alto is statefull by default.Do you have 1 cisco ASA or 2 cisco ASAs on that topology.

Are they active passive or active active ?

You should examine the logs related to the clients so that you will see what happened during that config.

L5 Sessionator

Are the PANFWs in Layer3 mode or in vwire mode?

Can you attach the sceenshot of the untrust to trust rule on the PANFW

Thanks and best regards,

Karthik RP

I have 2 ASA active/standby same as PAs.  PAs are in vwire mode.  let me try it again and I check logs closely or post them here.

Thank you all for the input.

I discovered what issue was. It was an error on my part on how I configured the policy. thank you all.

H Team,

is there any document available PA 3020 is statefull?

Pls share link to download.

NickySorot, As was stated before,  All Palo Alto Networks firewalls are stateful by default.

If you require something specific, please let us know.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

ok thanks. can you share document link to proof that this is statefull.

one more question:  can we assign multiple segment on one interface.

ex: 192.168.1.0 to 192.168.1.32

192.168.1.33 to 192.168.1.64

NickySorot

The information that you are looking for can be found on this link,

https://www.paloaltonetworks.com/resources/learning-center/what-is-a-firewall.html

Amjad

Nicky, the link was posted about being stateful.

as far as the multiple segments.  You can place as many IP addresses as you want to an interface.

It looks like you want a "range".. do you mind if I ask why you are wanting to do that? For what purpose? NAT?

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

i want to create multiple logical networks like a group of 30 hosts and wants to keep separate logically. like to allow access based on policy between these small subsets.

Nicky,

Thanks for the response, but I am confused why you would need so many IP's in the same range for something like that. It seems unnecessary. I would like to think that you just need to restrict access based upon the IP, and you can do that through a Network Range/subnet.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hi,

what is the delivery timeline of replacement of faulty firewall in case of premium support.  our one firewall is down last 2-3 days.

If you have Premium support, and need to replace a unit, you need to contact the TAC, and report it.

Usually the replacement units are shipped out the next day, and they should arrive 2 days after reported.  This sometimes can be quicker, but this is what the official answer is.

Example, Lets say you call Monday, report an issue that needs an RMA, The replacement unit is shipped on Tuesday to arrive on Wednesday Morning Usually before 10:30 AM.

That is unless you have paid for 4 Hour Replacement.  Which means 4 hours after the TAC Determines this to be an RMA, you get a replacement unit within 4 hours.  But that is ONLY with a 4 hour agreement.

I hope this helps.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 6871 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!