Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
12
Posted by15 pieces of flair 馃挬2 months ago

PA Firewall Silently Dropping Intra-VLAN Traffic

I have a PA-220 that is configured with VLAN Interfaces (layer3 SVI), and the physical interfaces are Layer2 interfaces attached to the respective layer2 VLAN. Basically using it as a layer3 switch with firewall filtering. What I am running into now is that devices on the same VLAN cannot communicate with each other on the same subnet. I can arping from hostA to hostB and visa versa, so the layer1 and layer2 path is good. The palo shows absolutely nothing in the logs that the traffic is even occurring. The only indication that the palo is dropping it is the palo packet capture, the drop queue shows the firewall dropping the packets. The default intra-zone rule is to permit. I even overrode the rule to add logging to that rule and it still doesn't log. Any ideas would be much appreciated.

Diagram - https://imgur.com/qVpb6DF

DMZ security zone - VLAN 10 - 192.168.1.0/24

hostA (Intel NUC) - 192.168.1.101 - connected to eth2 on the palo

hostB - 192.168.1.5 - connected to eth3 on the palo

gateway (the palo) - 192.168.1.1

Palo is running version 8.0.10

EDIT: SOLVED! Thanks to u/ykc87. Turns out you have to make a layer2 security zone and put the physical interfaces into it and then the intra-zone rule permits it. https://imgur.com/bruRdv9

13 comments
85% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1
2 points2 months ago
debug dataplane packet-diag set filter match source 192.168.1.101  destination 192.168.1.5 (and / or vice-versa)
debug dataplane packet-diag set filter on
show counter global filter packet-filter yes delta yes

Run the last command twice a few seconds apart whilst pinging between the devices and in the second output, you'll see a reason for the drops.

level 2
15 pieces of flair 馃挬Original Poster3 points2 months ago

Interesting...no incoming zone. The physical interfaces are layer2 mode and it won't let me assign the DMZ zone to them.

So I fixed it thanks to you. Turns out you have to make a layer2 security zone and put the physical interfaces into it and then the intra-zone rule permits it. https://imgur.com/bruRdv9

admin@pa-fw> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 8.579 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
flow_policy_no_zone_i                      9        1 drop      flow      session   Session setup: no incoming zone
--------------------------------------------------------------------------------
Total counters shown: 1
--------------------------------------------------------------------------------
level 1

Sorry to ask the obvious, but you're 100% sure both NICs are in the same zone?

What about logging the inter-zone rule just for a moment to check the logs there?

What about the Palo's ARP table? Is it seeing both devices? Can you ping each device from the Palo's SVI?

level 2
15 pieces of flair 馃挬Original Poster1 point2 months ago

Yes I am sure. Proof - https://imgur.com/3yR1YCD and https://imgur.com/AcY30gH

I just tried inter-zone rule logging and nothing showed up.

Both interfaces (eth2 and eth3) are in DMZ VLAN in layer2 mode and the VLAN interface is attached to said VLAN and in the DMZ security zone. It's straight layer2 traffic.

Interesting thing is, from both devices I can ping the palo (192.168.1.1) but not each other despite being able to ARP for each other.

Palo ARP table:

interface         ip address      hw address        port              status   ttl  
--------------------------------------------------------------------------------
vlan              192.168.1.5     ac:22:0b:51:7b:31 ethernet1/3         c      1104 
vlan              192.168.1.60    e2:89:c4:d4:dc:8c ethernet1/3         c      1104 
vlan              192.168.1.61    32:60:c4:5a:6b:f0 ethernet1/3         c      1780 
vlan              192.168.1.62    52:4f:13:5c:06:a4 ethernet1/3         c      869  
vlan              192.168.1.100   00:0c:29:2b:92:2e ethernet1/2         c      1777 
vlan              192.168.1.101   00:0c:29:e6:38:f7 ethernet1/2         c      1754 

HostA ARP:

ccurtis@arm:~$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1              ether   08:30:6b:13:9a:01   C                     ens160
192.168.1.100            ether   00:0c:29:2b:92:2e   C                     ens160
192.168.1.5              ether   ac:22:0b:51:7b:31   C                     ens160

ccurtis@arm:~$ sudo arping 192.168.1.5
ARPING 192.168.1.5
60 bytes from ac:22:0b:51:7b:31 (192.168.1.5): index=0 time=11.587 msec
60 bytes from ac:22:0b:51:7b:31 (192.168.1.5): index=1 time=6.512 msec
60 bytes from ac:22:0b:51:7b:31 (192.168.1.5): index=2 time=1.328 msec
^C
--- 192.168.1.5 statistics ---
3 packets transmitted, 3 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 1.328/6.476/11.587/4.188 ms

HostB ARP:

root@localhost:~ # arp -a
? (192.168.1.1) at 08:30:6b:13:9a:01 on em0 expires in 999 seconds [ethernet]
? (192.168.1.101) at 00:0c:29:e6:38:f7 on em0 expires in 1121 seconds [ethernet]
? (192.168.1.5) at ac:22:0b:51:7b:31 on em0 permanent [ethernet]
? (192.168.1.61) at 32:60:c4:5a:6b:f0 on em0 permanent [ethernet]
? (192.168.1.60) at e2:89:c4:d4:dc:8c on em0 permanent [ethernet]
? (192.168.1.62) at 52:4f:13:5c:06:a4 on em0 permanent [ethernet]
level 3

1st screenshot. I see they're assigned to VLANs, but not security zones, which say none.

TBH, haven't worked too much with layer 2 interfaces on PAs, but I would still think you would want to assign the zone there in the int conf, no? Worth a shot.

level 3
CCNP R&S1 point2 months ago

If the hosts can see each other in ARP then clearly the traffic is passing. Is the firewall policy dropping Icmp between the hosts?

I know nothing about PA devices but it wouldn't surprise me to see ARP passing fine but Icmp being blocked by default.

level 1
1 point2 months ago

Look at the interface statistics and see what they actually say about the issue. You should be able to see if you have any receive errors and the number of packets that have been dropped.

level 2
15 pieces of flair 馃挬Original Poster1 point2 months ago

Mostly zeros. Nothing is incrementing as I am generating traffic from hostA to hostB.

admin@pa-fw> show interface ethernet1/2 
  |        Pipe through a command
  <Enter>  Finish input

admin@pa-fw> show interface ethernet1/2 | match drop
packets dropped                          0
packets dropped                          0
packets dropped by flow state check      0
teardrop attacks                         0
admin@pa-fw> show interface ethernet1/3 | match drop 
packets dropped                          0
packets dropped                          0
packets dropped by flow state check      0
teardrop attacks                         0
admin@pa-fw> show interface ethernet1/2 | match error
receive incoming errors                  0
receive errors                           0
receive errors                           0
forwarding errors                        0
admin@pa-fw> show interface ethernet1/3 | match error 
receive incoming errors                  0
receive errors                           517
receive errors                           0
forwarding errors                        0

admin@pa-fw> 
admin@pa-fw> show interface vlan | match drop           
packets dropped                          1106
packets dropped by flow state check      1195
teardrop attacks                         0
admin@pa-fw> show interface vlan | match error
receive errors                           0
forwarding errors                        0
level 1
You should've enabled port-security1 point2 months ago

Can you show a screenshot of the now working rules? Glad you solved it

level 2
15 pieces of flair 馃挬Original Poster1 point2 months ago

Not at work anymore. It was the default system intra-zone rule that was matching.

level 1
You should've enabled port-security1 point2 months ago

So you created a new zone added the interfaces then added it to your rule?

level 2
15 pieces of flair 馃挬Original Poster1 point2 months ago

Created a new layer2 zone and added the two physical interfaces to it. That is all the changes that were necessary.

level 1

Palo has two rules at the bottom of the policy for interzone default.

You need to set these for logging or your not see the drops.

Community Details

131k

Subscribers

980

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies.Learn More.