- A Palo Alto Network firewall in layer 3 mode provides routing and network address translation (NAT) functions.
- Source and destination zones on NAT policy are evaluated pre-NAT based on the routing table
- Example 1 : If you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internal users). It is necessary to configure the NAT policy busing the zone is which the Public IP address resides .
- Example 2: If you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internal users and that public IP is routed to a DMZ zone). It is necessary to configure the NAT policy using the DMZ zone.
- Original IP addresses are ALWAYS used with rules, no matter which policy. Why? Because address translation does not actually happen until the packet egress the firewall.
- The ONLY zone that may change from the original packet during processing is the destination zone.
Full Packet FLow Process Diagram :
Ingress Flow Diagram and Process
- When a packet is received, the ingress port, 802.1q tag, and destination MAC address are used to lookup the ingress logical Interface and zone.
- Then Information from network Layer 3 and Layer 4 is extracted, if there is an error or a simple breach is detected, the packet is dropped, like the packet is dropped if the packet contains a truncated header, a mismatch of ethernet type and IP version, an IP protocol number of zero, a Ping of Death, or a checksum error.
- IP defragmentation also happens at this stage.
- The Packet type and the interface mode will determine whether a packet requires firewall processing. For Example :
- for a Layer 3-mode interface. All IP broadcast packets will be dropped instead of inspected.
- A Layer 2-mode interface will forward IP broadcast packets.
- IPv6 packets will be inspected only if IPv6 networking is turned on.
- All IP unicast packets will be inspected for every type of interface.
- If the firewall determines that the packet comes from a IPSec or SSL-VPN tunnel, the packet is decapsulated and sent back to the parsing process. The tunnel interface is assigned as the ingress interface.
- The Firewall will attempt to match the packet to an existing session.
The Firewall now perform a flow lookup on the packet. A flow is any stream of packets that share the same 6-tuple
- A 6 tuple consists of :
- Src and Dst IP Address
- Src and Dst TCP/UDP Port
- Protocol number
- Ingress Zone
Firewall Maintains a list of active flows, each of which is identified by its 6-tuple. The firewall compare the 6-tuple of inspected packet to the active flow table. Any packet that is not part of an active flow is sent to Slowpath. The Slowpath will lookup the egress interface for the packet, apply the appropriate NAT policy, and then perform a Security Policy lookup (without knowing the application).
If the packet is allowed by the Security policies, the firewall with then create and install a new session. IT will create entries for the server to client (S2c) and client to serve (c2s) flow in the active flow table using the unique 6 tuple as an identifier for each flow. Then packet sent to Fastpath for further processing.
If packet is already part of an active flow, there is no need to do a forwarding lookup or security policy rule comparison because these operations already were performed on the first packet in the flow. A packet from an existing session thus is immediately sent to the Fastpath.
Firewall Session Setup/Slowpath
Skipped if the packet is from an existing session
Forwarding lookup: Find the egress interface/zone
Nat Policy: second forwarding lookup if the destination NAT
FW security policy lookup (app=any*) *This is a port/protocol check.
If the packet is allowed by policies, set up the session
For packet is established sessions
Layer 2-4 FW processing : Discard packet if session is not active
Update session lifetime
Do NAT if applicable
Decrypt SSL of acting as SSL proxy
App-ID and Content-ID Flow
The firewall first perform an application –override policy lookup to determine if there is a rule match. If there is a match, the application is known and content inspection is skipped for this session.
If there no application –override rule, the application signatures are used to identify the application. The firewall uses protocol decoding in the content inspection stage to determine if the packet payload switches from one application to another.
The firewall perform content inspection, if applicable. First, protocol decoder decode the flow and the firewall parse and identifies known tunnelling application changes due to this action, the firewall consults the security policies once again to determine if the session should be permitted to continue.
If the application does not change, the firewall inspects the content as per all the security profiles attached to the original matching rule. If the comparison results in threat detection, the corresponding Security Profile action is taken.
The firewall then forwards the packet to the forwarding stage if following conditions is true: If inspection results in a detection and the Security Profile action is set to “allow”.
Content inspection returns no detection.
The firewall then re-encrypt the packet before entering the forwarding stage, if applicable.
The firewall identifies a forwarding domain for the packet, based on the forwarding setup determined during ingress.
The firewall perform QoS shaping as applicable in the egress process. Also, Based on the MTU of the egress interface and the fragment bit settings on the packet, the firewall carries our fragmentation, if needed.
If the egress interface is a tunnel interface, then IPSec or SSL VPN tunnel encryption is performed and packet forwarding is re-evaluated.
After NAT, the firewall ensures that the source and destination address are not the same. Oif the addresses are the same, the packet is dropped.
The packet is transmitted out the physical egress interface.
Useful links :