Vulnerability Protection Profile action drop, but still forwards packets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Vulnerability Protection Profile action drop, but still forwards packets

L1 Bithead

Hello,

 

A customer has a Palo Alto perimeter firewall and a Fortigate DCFW which sits behind the PA in the line of traffic when incoming from the internet .

 

It has been observed that in a scenario when the Palo Alto firewall which has SSL Inbound inspection enabled for all internet facing applications and the vulnerability protection signatures are said to 'drop' action, the firewall still seems to be forwarding packets to the Fortigate FW whose IPS engine gets triggered  for the same vulnerability and it blocks packets from the same attacker IP address.

 

I want to understand if this is a bug or the recommended action should be set to a different one for this to be avoided? Ideally the traffic should never each the Fortigate.

 

The screenshots from the PA and Fortigate  modules are attached. The PAN OS version is 9.1.15-h1.

 

Thank you!

 

Aamir



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
4 REPLIES 4

L2 Linker

Hello 

 

Could you please validate if it is for the same source and destination IP's that you are getting the drop log on the Fortigate?

Hi @murali438 ,

 

Certainly that was the 1st thing I would have checked. The IP has been flagged by multiple entities as seen in the below link:

 

https://www.abuseipdb.com/check/192.99.180.188

 

Cheers

 

Aamir

Hello,

 

To provide additional info showing the same source IP being detected by the PA and Fortinet VA engines, please find the two screenshots attached.

 

 

 

Thanks

 

Aamir

L6 Presenter

I thought that made a post here but I see it no more. Strange. Did you check with pcap capture for drop and transmit state that the traffic really passes through the firewall? It could be a visual bug?

 

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-r...

 

Also defenetly check that the SSL decryption is working for the source IP that you see in the attack as maybe not every time traffic is decrypted. Too bad that you are not using 10.x as it has SSL decryption tab that makes life easier.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decry...

 

 

And just in case check the release notes.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/kno...

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/kno...

 

  • 1914 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!