Installation Steps For Virtual Wire Mode Evaluations

Installation Steps For Virtual Wire Mode Evaluations

I recently had the opportunity of deploying a PaloAlto PA-2020 in inline mode within a pre-exisiting network. PaloAlto (PA) refer to inline mode as VWIre –or Virtual Wire. It worked fantastically well but I hit a snag when trying to access some internal servers.In a nutshell, and greatly simplified, imagine a network setup as follows:– A vlan aware switch (no L3 routing capabilites)– Inter vlan routing is handled by a stateful firewall– The PA-2020 is set inline with no blocking rules, and allowing all VLAN traffic. Below is a diagram to help visualise the problemBasically the internal user 1.1.1.1 was unable to access the internal server 2.2.2.2. Troubleshooting determined:a. The internal user 1.1.1.1 was sending SYN packets but not receiving any responseb.

Installation Steps For Virtual Wire Mode Evaluations System

The internal server 2.2.2.2 was receiving SYN packets from 1.1.1.1 and answering with SYN/ACK packets, but the final ACK packet required to complete the TCP 3 way handshake was not being receivedc. The firewall was relaying both the first SYN packet and the second SYN/ACK packetEverything pointed towards the PA-2020 having an issue with this three way handshake. The clue was in the PA-2020 logs which showed the same TCP connection as coming from both eth1/2 (correct) and eth1/1 (incorrect)Once displayed in a diagram as above it becomes easy to visualise what is happening:step 1. Internal User sends a packet like so: SRC IP: 1.1.1.1DST IP: 2.2.2.2The PA sees this packet as coming in on it’s eth1/2 interface, logs the connection and as shown in the table on the top left of the diagram, it logs IP 1.1.1.1 as being reachable on interface eth1/2step 2. Firewall routes packet. Since the firewall is acting as a router, it receives the packet from 1.1.1.1 and forwards it out of the same physical interface to it’s destination, from subinterface VLAN1 to subinterface VLAN2So the palo alto sees the same packet as it saw in step one, but this time it arrives on interface eth1/1, so it updates its cache and notes IP 1.1.1.1 as being reachable on interface eth1/1step 3. The server answers the SYN packet and sends it’s reply to the firewall: SRC IP: 2.2.2.2DST IP: 1.1.1.1The palo alto dutifully notes that IP 2.2.2.2 is reachable on eth1/2step 4.

Evaluations

Installation Steps For Virtual Wire Mode Evaluations For Students

The firewall routes the server’s reply to the client, using the inverse of step 1, that is, from subinterface vlan2 to subinterface vlan1This is where the PA gets confused. The last mapping it had shows that:1.1.1.1 is reachable on eth1/1(see step 2), so it dutifully sends the packet out of that interface —- the wrong one. So the client never gets the reply, and the connection is never establishedThe solution in this case was to introduce source NAT, or hide NAT. On step 2, the firewall changes the source IP to the IP of one of its interfaces, say 2.2.2.1.

In this way, the PA-2020 never sees the same IP on two different interfaces and everything works as it should.

.® Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.0.Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 About this Guide This guide describes how to set up and license the VM-Series firewall; it is intended for administrators who want to deploy the VM-Series firewall. For more information, refer to the following sources: PAN-OS Administrator's Guide–.Supported Deployments—VM Series Firewall on Citrix SDX.Secure North-South Traffic with the VM-Series Firewall.31 Deploy the VM-Series Firewall Using L3 Interfaces.About the VM-Series Firewall The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east-west and north-south traffic. .VM-Series Models About the VM-Series Firewall VM-Series Models The VM-Series firewall is available in four models—VM-100, VM-200, VM-300, and VM-1000-HV. All four models can be deployed as guest virtual machines on VMware ESXi and on Citrix NetScaler SDX; on VMWare NSX, only the VM-1000-HV is supported.