02-08-2023 09:42 PM - edited 02-08-2023 09:43 PM
Hello,
A customer has a Palo Alto perimeter firewall and a Fortigate DCFW which sits behind the PA in the line of traffic when incoming from the internet .
It has been observed that in a scenario when the Palo Alto firewall which has SSL Inbound inspection enabled for all internet facing applications and the vulnerability protection signatures are said to 'drop' action, the firewall still seems to be forwarding packets to the Fortigate FW whose IPS engine gets triggered for the same vulnerability and it blocks packets from the same attacker IP address.
I want to understand if this is a bug or the recommended action should be set to a different one for this to be avoided? Ideally the traffic should never each the Fortigate.
The screenshots from the PA and Fortigate modules are attached. The PAN OS version is 9.1.15-h1.
Thank you!
Aamir
Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
02-09-2023 01:00 AM
Hi @murali438 ,
Certainly that was the 1st thing I would have checked. The IP has been flagged by multiple entities as seen in the below link:
https://www.abuseipdb.com/check/192.99.180.188
Cheers
Aamir
02-16-2023 12:51 AM
I thought that made a post here but I see it no more. Strange. Did you check with pcap capture for drop and transmit state that the traffic really passes through the firewall? It could be a visual bug?
Also defenetly check that the SSL decryption is working for the source IP that you see in the attack as maybe not every time traffic is decrypted. Too bad that you are not using 10.x as it has SSL decryption tab that makes life easier.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS
And just in case check the release notes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
