In this article, we will discuss on Packet handling process inside of PAN-OS of Palo Alto firewall.
Introduction: Packet Flow in Palo Alto
Packet passes through the multiple stages such as ingress and forwarding/egress stages that make packet forwarding decisions on a per-packet basis. Following are the stages of packet flow starting from receiving the packet to being transmitted out an interface –
Stages : Packet Flow in Palo Alto
This stage receives packet, parses the packets and passes for further inspection. Firewall continues with a session lookup and other security modules. After that firewall forwards the packet to the egress stage.
Packet inspection starts with the parameter of Layer-2 header on ingress port like 802.1q tag and destination MAC address are used as key to lookup the ingress logical interface. Packet will be discarded if interface not found.
The firewall will discard the packet in IPV4 case if mismatch of Ethernet type and IP version, Truncated IP header, IP protocol number 0, TTL zero, Land attack, Ping of death, Martian IP address, IP checksum errors. It will also discard the packet in IPV6 case if there is mismatch of Ethernet type and IP version, Truncated IPv6 header, Truncated IP packet (IP payload buffer length less than IP payload field), Jumbo Gram extension (RFC 2675), Truncated extension header.
The Layer-4 (TCP/UDP) header is parsed.
TCP: Firewall will discard the packet if TCP header is truncated, Data offset field is less than 5, Checksum error, Invalid combination of TCP flags.
UDP: Firewall will discard the packet if UDP header truncated, UDP payload truncated (not IP fragment and UDP buffer length less than UDP length field), Checksum error.
Firewall performs decapsulation/decryption at the parsing stage. Firewall decapsulates the packet first and checks for errors and if error is found, packet will be discarded.
Firewall parses IP fragments, reassembles using the defragmentation process and then feeds the packet back to the ingress with the IP header. Firewall discards the packet if packet is effected with tear-drop attack, fragmentation errors, buffered fragments (max packet threshold).
Related – Palo Alto Firewall Architecture
Firewall Session Lookup
Firewall inspects the packet and performs the lookup on packet. Firewall session includes two unidirectional flows, where each flow is uniquely identified. In PAN-OS, the firewall finds the flow using a 6-tuple terms:
- Source and destination addresses: IP addresses from the IP packet.
- Source and destination ports: Port numbers from TCP/UDP protocol headers
- Protocol: The IP protocol number from the IP header is used to derive the flow key.
- Security zone: This field is derived from the ingress interface at which a packet arrives.
Zone Protection Checks
When packet arrives on a firewall interface, the ingress interface performs the inspection of packet whether any zone profile exists. If zone profile exists, the packet is passed for evaluation as per profile configuration.
TCP State Check
Firewall firstly checks the SYN bit set in packet received, if it is not found, then packet will be discarded. If the SYN Flood protection action is set to Random Early Drop (RED) and this is default configuration, firewall simply drops the packet. SYN Cookies is preferred way when more traffic to pass through.
Packet forwarding of packet depends on the configuration of the interface. Below are interface modes which decides action: –
NAT is applicable only in Layer-3 or Virtual Wire mode. The ingress/egress zone information evaluates NAT rules for the original packet.
- For destination NAT, the firewall performs a second route lookup for the translated address to determine the egress interface/zone.
- For source NAT, the firewall evaluates the NAT rule for source IP allocation. If the allocation check fails, the firewall discards the packet.
Firewall uses the IP address of the packet to gather the information from User-IP mapping table. The corresponding user information is fetched from user-group mapping table and fetches the group mapping associated with this user.
DoS Protection Policy Lookup
Firewall checks the DoS (Denial of Service) protection policy for traffic based on the DoS protection profile. DoS protection policy action is set to Protect, the firewall checks the specified thresholds and if there is a match, firewall discards the packet.
Security Policy Lookup
Firewall uses application ANY to inspect the packet and perform the lookup and check for a rule match. If the policy action is set to ‘deny’, the firewall drops the packet if no rule match. The firewall permits intra-zone traffic by default. This default behavior for intra-zone and inter-zone traffic can be modified from the security policies rule base.
Firewall allocates a new session entry from the free pool if all checks are performed. Session allocation failure occurs if VSYS session maximum reached or firewall allocates all available sessions.
Firewall Session Fast Path
Session fast path checks the packet from layer 2 to layer 4 and passes under below conditions: –
- If the session is in discard state, then the firewall discards the packet.
- If the session is active, refresh session timeout.
- If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet or RST packet, session is closed as of these timers expire.
- If NAT is applicable, translate the L3/L4 header as applicable.
When packet is inspected and matches an existing session, it will be subject to further processing when the packet has TCP/UDP data (payload), or it is a non-TCP/UDP packet. Firewall checks for session application, if not found, it performs an App-ID lookup. If the App-ID lookup is non-conclusive, the content inspection module performs the known protocol decoder to check the application. If the firewall detects the application, the session is forwarded to content inspection if any of the following applied:
- Application Layer Gateway (ALG) is involved.
- Application is tunneled application.
- Security rule has security profile associated.
If the user information was not found for the source IP address extracted from the packet and the packet forwarded toward destination, firewall performs a captive portal rule lookup and forwards for captive portal authentication.
Application Identification (App-ID)
Firewall firstly performs an application policy lookup to see if there is a rule match. If there is no application rule, then application signatures are used to identify the application.
Firewall performs content Inspection, identifies the content and permits as per security policy rule. Next, it forwards the packet to the forwarding stage.
- Firewall performs QoS shaping as applicable in the egress process. Firewall inspects the packet MTU size and the fragment bit settings on the packet at egress interface and performs fragmentation if required.
- If the egress interface is a tunnel interface, then IPsec/SSL-VPN tunnel encryption is performed.
Related – Palo Alto Cheatsheet
Packet is inspected by Palo Alto Firewall at various stages from ingress to egress and performs the defined action as per policy / security checks and encryption. Packet passes from Layer 2 checks and discards if error is found in 802.1q tag and MAC address lookup. Packet is forwarded for TCP/UDP check and discarded if anomaly in packet. Next is defragmentation/decapsulation and NAT, followed by zone check. Later on, User-ID lookup and DoS attack protection and other security checks in zone are executed as per configured rule.