Professional Documents
Culture Documents
Security policies are always evaluated whenever there is an application change either from
unknown to a known one, or from a tunneling application to tunneled application.
Ingress Stage
Ingress stage receives packet from the network interface, parses the packet and determines
whether the given packet is subject to firewalling. If the packet is subject to firewalling then
continue with firewall session lookup and enter security processing stage, otherwise forward the
packet.
Note: During packet processing, a packet may be discarded because of protocol violation. In
certain cases which are considered firewall attack prevention features the packet maybe discarded
without configurable options because those packets will eventually be discarded by the end hosts.
Layer2: The ingress-port, 802.1q tag, destination MAC address is used as key to lookup ingress
logical interface. If interface is not found the packet is discarded. The hardware interface counter
"receive error" and global counter “flow_rcv_dot1q_tag_err” are incremented.
Layer3: The IP header is parsed.
IPv4: A packet can discarded for any one of the following reasons
• Mismatch of Ethernet type and IP version
• Truncated IP header
• IP protocol number 0
• TTL zero
• Land attack
• Ping of death
• Maritain IP address
IPv6: A packet can discarded for any one of the following reasons
• mismatch of Ethernet type and IP version,
• truncated IPv6 header,
• truncated IP packet (IP payload buffer length less than IP payload field),
• JumboGram extension (RFC 2675),
• truncated extension header
Layer 4:
TCP: The packet is discarded if
• TCP header is truncated,
• data-offset field is less than 5
• Checksum error,
• port zero
• invalid combination of TCP flags
UDP: The packet is discarded if
• UDP header truncated,
• UDP payload truncated (not IP fragment, and
• UDP buffer length less than UDP length field)
• Checksum error
Currently all supported tunnel types are IP layer tunneling, thus packet parsing (for tunneled
packet) starts with IP header.
IP Defragmentation
IP fragments will be parsed, be reassembled by defragmentation process and fed back to the
parser starting with IP header. A fragment may be discarded due to tear-drop attack (overlapping
fragments).
Virtual wires
IPv4 Inspect Inspect Inspect Inspect and Inspect and Inspect and
unicast and and and forward forward drop
forward forward forward
Virtual wires
If the packet is subject to firewall inspection, flow lookup is performed on the packet. A firewall
session consists of two unidirectional flows each uniquely identified by 6-tuple key. In PAN-OS
implementation a flow is uniquely identified using a 6-tuple key.
• Source and destination addresses: IP addresses from the IP packet.
• Source and destination ports: Port numbers from TCP/UDP protocol headers. For
non-TCP/UDP, different field from protocols are used. For ICMP, ICMP identifier and
sequence numbers are used, for IPSec SPI is used to identify the flow and GRE call ID
is used for PPTP.
• Protocol: The IP protocol number from the IP header is used to derive the flow key
• Security zone: This field is derived from the ingress interface at which a packet
arrives.
Active flows are stored in the flow lookup table. When a packet is determined to be eligible for
firewall inspection, the 6-tuple flow key is extracted from the packet and flow lookup is performed to
match the packet with an existing flow. Each flow has a client and server component, where client
is sender of the first packet of the session from firewall perspective, and server is receiver of this
very first packet.
Note: The distinction of client and server is from the firewalls point of view and may or may not be
the same from the end hosts point of view.
Based on above definition of client and server there will be a client-to-server (C2S) and server-to-
client (S2C) flow , where all client-to-server packets should contains same key as that of C2S flow,
and so on for S2C flow.
• The seed to encode cookie is generated each time dataplane boots up via random number
generator
• If an ACK packet received from the client does not match cookie encoding, it treats the
packet as non-SYN and discards the packet.
• A session that passes SYN cookies process are subject to TCP sequence number
translation as firewall acted as proxy for TCP 3-way handshake.
Note:
I. The firewall can be configured to allow the first TCP packet even if it does not have
SYN bit set. Even though this is not a recommended setting, scenarios with
asymmetric flow will require this
II. It is recommended to have firewall set to reject TCP non-SYN when SYN cookies are
enabled.
Forwarding setup
This stage determines packet forwarding path. Packet forwarding depends on the way firewall
interface is configured. The table below summarizes packet forwarding behavior.
Interface Mode Forwarding action
Tap Egress interface/zone is the same ingress interface/zone. The packet is
discarded
Virtual Wire Egress interface is the peer interface configured in the virtual wire
Layer 2 Egress interface for the destination MAC is retrieved from the MAC
table. If the information is not present the frame is flooded to all interface
except the ingress interface in the VLAN
Layer 3 Route table lookup is used to determine the next hop
User ID
If the user information is not available for the IP address, and the packet is destined to TCP/80, a
captive portal rule lookup is checked to see if the packet is subject to captive portal authentication.
If captive portal is applicable, the packet is redirected to the captive portal daemon
Session allocation
A new session entry from the free pool will be allocated once all of the above steps are
successfully completed. Session allocation failure may occur at this point due to resource
constraint
• Session content will be filled with flow keys extracted from packet and forwarding/policy
results
• Session state changes from INIT (pre-allocation) to OPENING (post-allocation)
• If the application has not identified, the session timeout value is set to default value of the
transport protocol
• If the session is in discard state, then the packet will be discarded. A session can be
marked as discard state due to a policy action change to deny, or a threat detected.
• If the session is active, refresh session timeout
• If the packet is a TCP FIN/RST, the session timeout is changed to timeout-tcpwait value
• If NAT is applicable, translate the L3/L4 header if applicable.
A packet matching an existing session is subject to layer7 processing if any of the following,
condition matches.
If a application uses TCP as transport, it will be processed by TCP reassembly module before
stream data is fed to layer7 module. TCP reassembly module will also perform window check,
buffer out-of-order data and skip TCP retransmission.
After session application is identified, access control, content inspection, traffic management and
logging will be setup as configured.