top of page
Writer's pictureMukesh Chanderia

Packet Flow in Palo Alto

Updated: Jan 30, 2022





Logic Flow


1) Initial Packet Processing --> Src Zone/Address/User ID --> Forwarding Lookup --> Destination Zone --> NAT policy evaluated


2) Security Pre-Policy --> Check allowed ports --> Session Created


3) Application --> Check for Encryption traffic --> Decryption policy--> Application Override Policy --> App-ID


4) Security Policy --> Check Security Policy --> Check Security Profiles


5) Post Policy Processing --> Re-encrypt Traffic --> NAT policy applied --> Packet Forwarded


Packet received on ingress interface --> Packet Ingress Process [Extract L2/L3/L4 info] --> VPN decryption --> Session Lookup [No Session] --> Slow Path Processing --> Forwarding Lookup --> Engress Interface / Destination Zone --> NAT Lookup --> Security Policy Lookup --> Create Session




Ingress Stage


This stage receives packet, parses (breaks) the packets and passes for further inspection.


Packet inspection starts with the parameter of Layer-2 header on ingress port i.e. 802.1q tag and destination MAC address.Packet will be discarded if interface not found.


The firewall will discard the packet in IPV4 case if anyone of following found.


1) mismatch of Ethernet type and IP version

2) Truncated IP header

3) IP protocol number 0

4) TTL zero

5) Land attack

6) Ping of death

7) Martian IP address

8) IP checksum errors.


It will also discard the packet in IPV6 case if there is mismatch of Ethernet type and IP version, Truncated IPv6 header, Truncated IP packet (IP payload buffer length less than IP payload field), Jumbo Gram extension (RFC 2675), Truncated extension header.


Now the Layer-4 (TCP/UDP) header is parsed.


TCP: Firewall will discard the packet if TCP header is truncated, Data offset field is less than 5, Checksum error, Invalid combination of TCP flags.


UDP: Firewall will discard the packet if UDP header truncated, UDP payload truncated (not IP fragment and UDP buffer length less than UDP length field), Checksum error.


Tunnel Decapsulation

Firewall performs decapsulation/decryption at the parsing stage. Firewall decapsulates the packet first and checks for errors and if error is found, packet will be discarded.


IP Defragmentation

Firewall parses IP fragments, reassembles using the defragmentation process and then feeds the packet back to the ingress with the IP header.


Firewall discards the packet if packet is effected with tear-drop attack, fragmentation errors, buffered fragments (max packet threshold).


Firewall Session Lookup

Firewall inspects the packet and performs the lookup on packet. Firewall session includes two unidirectional flows, where each flow is uniquely identified.


Zone Protection Checks

When packet arrives on a firewall interface, the ingress interface performs the inspection of packet whether any zone profile exists. If zone profile exists, the packet is passed for evaluation as per profile configuration.


Zone Protection profiles apply to new sessions in ingress zones and protect against flood attacks, reconnaissance (port scans and host sweeps), packet-based attacks, and layer 2 protocol-based attacks.


TCP State Check

Firewall firstly checks the SYN bit set in packet received, if it is not found, then packet will be discarded. If the SYN Flood protection action is set to Random Early Drop (RED) and this is default configuration, firewall simply drops the packet.


Forwarding Setup

Packet forwarding of packet depends on the configuration of the interface [Tap,Virtual Wire,Layer-2 & Layer-3]


NAT Policy Lookup


NAT is applicable only in Layer-3 or Virtual Wire mode. The ingress/egress zone information evaluates NAT rules for the original packet.


For destination NAT, the firewall performs a second route lookup for the translated address to determine the egress interface/zone.


For source NAT, the firewall evaluates the NAT rule for source IP allocation. If the allocation check fails, the firewall discards the packet.


User-ID

Firewall uses the IP address of the packet to gather the information from User-IP mapping table.


DoS Protection Policy Lookup

Firewall checks the DoS (Denial of Service) protection policy for traffic based on the DoS protection profile.


DoS protection policy action is set to Protect, the firewall checks the specified thresholds and if there is a match, firewall discards the packet.


Security Policy Lookup

Firewall uses application ANY to inspect the packet and perform the lookup and check for a rule match. If the policy action is set to ‘deny’, the firewall drops the packet if no rule match. The firewall permits intra-zone traffic by default.


Session Allocation

Firewall allocates a new session entry from the free pool if all checks are performed. Session allocation failure occurs if VSYS session maximum reached or firewall allocates all available sessions.


Firewall Session Fast Path

Session fast path checks the packet from layer 2 to layer 4 and passes under below conditions: –


If the session is in discard state, then the firewall discards the packet.

If the session is active, refresh session timeout.

If NAT is applicable, translate the L3/L4 header as applicable.


Security Processing

When packet is inspected and matches an existing session, it will be subject to further processing when the packet has TCP/UDP data (payload), or it is a non-TCP/UDP packet.


Firewall checks for session application, if not found, it performs an App-ID lookup. If the App-ID lookup is not resolving , the content inspection module performs the known protocol decoder to check the application.


If the firewall detects the application, the session is forwarded to content inspection if any of the following applied:


Application is tunneled application.

Security rule has security profile associated.


Captive Portal

If the user information was not found for the source IP address extracted from the packet and the packet forwarded toward destination, firewall performs a captive portal rule lookup and forwards for captive portal authentication.


Application Identification (App-ID)

Firewall firstly performs an application policy lookup to see if there is a rule match. If there is no application rule, then application signatures are used to identify the application.


Content Inspection

Firewall performs content Inspection, identifies the content and permits as per security policy rule. Next, it forwards the packet to the forwarding stage.


Forwarding/Egress

Firewall performs QoS & inspects the packet MTU size and performs fragmentation if required.

If the egress interface is a tunnel interface, then IPsec/SSL-VPN tunnel encryption is performed.



228 views0 comments

Recent Posts

See All

PANORAMA

Hook Firewall & Panorama Step 1: Go to Firewall and add the IP address of Primary and secondary Panorama. Step 2: Go to Panorama and in...

Comments


bottom of page