What is the difference of security policy in session setup stage and fast path stage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What is the difference of security policy in session setup stage and fast path stage

L3 Networker

Hi All,

 

Please could someone help me out in understanding this concept as I am a bit confused about this process.

I mean if App ID is ingonred then how is the traffic allowed to go to fast path stage if all the rules are configured using AppID rather than ports.

 

Thanks

7 REPLIES 7

Cyber Elite
Cyber Elite

You should consider fastpath as more of a layer 3 or 4 process rather than app-id: when a session is being set up (syn packets et al), the firewall needs to check if source IP/zone, destination IP/zone and destination port are allowed. 

When a match is found, the packets are allowed through to complete the tcp handshake and a session is created. Once this phase is completed, the session goes into fastpath (basic 6 tuple was allowed by security) but app-id is still busy identifying the app

If anywhere after the 3rd packet an application is identified that is blocked (or not allowed) the session is still dropped

 

Fastpath is not the same as hardware offloading

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,

Thanks for your response.

Please could clarify how the security policy is going to behave only if application is defined not the ports..?I will this traffic will be allowed.? 

In addition, Why again the security policy is checked in fast path, is it because of App-ID coming into action if the security policy is defined using Application as the match criteria.

Hi @mahmoodm ,

- You need to look at the actual data to be able to identify application and make decision if you allow it or not. If you see TCP SYN packet, can you tell what application will use this TCP connection? No, you can assume based on destination port, but you cannot tell for sure. For that reason if you configure rule that is blocking an application, firewall will still allow the TCP hand-shake to complete, because firewall will need to allow the session to pass in order to gather enough information to identify the application. 

 

- Exactly. PAN are calling this application shift and to understand it you to think how standard TCP connection is established. Most common example is with facebook, or any other http based application.
- First FW sees only TCP handshake. - so (depending on your rule base) it will allow the tcp to establish 

- Once the TCP is established the client do HTTP request (lets simplified without the encryption just for the example) - Now FW sees the actual data and can identify the traffic as web-browsing and even better, based on the requested URL it knows it is going to facebook. So FW will say that this traffic is facebook-base (something with facebook)

- After some few more packets (reply from server and probably more content requests from client), FW can see that you are trying to use facebook chat feature. 

 

With more data passing firewall will have more data to better identify the application and can change the detected app, when this happen new policy lookup is triggered to check if the newly identified application is allowed, if it still match the existing rule.

 

This is a bit over-simplified example, because if you put encryption and tunneling (ssh and ssl) you can have even more layers untill the actual application/service is reviled. 

Hi Astradzhiev,

Thanks for your response.

I have little confusion on this part. How come the traffic is allowed wherein we have not defined any destination port in the rules, We have only defined the application...Does it use the implicit allowed list of applications for this purpose or something else.

 

For that reason if you configure rule that is blocking an application, firewall will still allow the TCP hand-shake to complete, because firewall will need to allow the session to pass in order to gather enough information to identify the application. 

Hello,

The application has 'default' ports that is uses, so once its identified by the PAN, those ports are used. If the port is not standard, it will fail, i.e. web-browsing over port 8080.

https://applipedia.paloaltonetworks.com/

search for web-browsing and click on it, it will list the default port of 80/tcp.

 

Since the application is not identified in the tcp handshake, the PAN will allow this until the proper application is identified or security policy matched.

 

Regards,

 

Hope that helps.

Hi Otakar,

Thanks for your response.

One final clarification,If the PAN is able to identify the application then it will take the defined action if not what will happen,Will it keep trying other security rules until a match is found or else deny the traffic...?

 

Thanks

Hi Reaper,

Please could you help me in understanding the difference for below.

1)What is security policy pre-check and what it's use.

2)How will the firewall allow the tcp handshake while we have not  defined any rules allowing on destination ports, Imagine all the rules are defined using application.

Thanks

  • 3879 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!