Beruflich Dokumente
Kultur Dokumente
Table of Contents
Overview ............................................................................................................................................ 3
Ingress Stage ..................................................................................................................................... 3
Packet Parsing................................................................................................................................ 5
Tunnel decapsulation ......................................................................................................................... 6
Flood and per-packet anomaly detection ....................................................................................... 8
TCP state check ............................................................................................................................. 8
Forwarding setup ............................................................................................................................ 8
Interface Mode ............................................................................................................................ 8
Forwarding action........................................................................................................................ 8
Tap .............................................................................................................................................. 8
Virtual Wire.................................................................................................................................. 8
Layer 2 ........................................................................................................................................ 8
Layer 3 ........................................................................................................................................ 8
NAT policy lookup........................................................................................................................... 9
User ID............................................................................................................................................ 9
Security policy lookup ..................................................................................................................... 9
Session allocation........................................................................................................................... 9
Firewall session fast path ................................................................................................................. 10
Application Identification................................................................................................................... 10
Summary .......................................................................................................................................... 11
Page 2
Overview
This document describes the packet handling sequence inside of PAN-OS device. The ingress and
forwarding/egress stages handles network functionalities to make packet forwarding decisions on
per packet basis. The rest of stages are flow-based security modules highlighted by App-ID and
Content-ID. This decoupling offers stateful security functions at application layer, and the resiliency
of per-packet forwarding, and flexibility of deployment topologies.
Security policies are always evaluated whenever there is an application change either from
unknown to a known one, or from a tunneling application to tunneled application.
Ingress Stage
Ingress stage receives packet from the network interface, parses the packet and determines
whether the given packet is subject to firewalling. If the packet is subject to firewalling then
continue with firewall session lookup and enter security processing stage, otherwise forward the
packet.
Note: During packet processing, a packet may be discarded because of protocol violation. In
certain cases which are considered firewall attack prevention features the packet maybe discarded
without configurable options because those packets will eventually be discarded by the end hosts.
Page 3
Page 4
Packet Parsing
Packet parsing starts with layer2 header of the packet received from interface,
Layer2: The ingress-port, 802.1q tag, destination MAC address is used as key to lookup ingress
logical interface. If interface is not found the packet is discarded. The hardware interface counter
"receive error" and global counter flow_rcv_dot1q_tag_err are incremented.
Layer3: The IP header is parsed.
IPv4: A packet can discarded for any one of the following reasons
Truncated IP header
IP protocol number 0
TTL zero
Land attack
Ping of death
Maritain IP address
IPv6: A packet can discarded for any one of the following reasons
truncated IP packet (IP payload buffer length less than IP payload field),
Layer 4:
TCP: The packet is discarded if
Checksum error,
port zero
Checksum error
Page 5
Tunnel Decapsulation
Tunnel decapsulation/decryption is also performed at the parsing stage. After parsing, if the packet
is determined that it matches tunnel, i.e. IPSec, SSL-VPN with SSL transport, then the following
sequence is executed:
packet will be decapsulated first, discarded if any error,
the tunnel interface associated with the tunnel will be assigned to packet as new ingress
interface, then packet will be fed back to parsing process, starting with packet header
defined by tunnel type.
Currently all supported tunnel types are IP layer tunneling, thus packet parsing (for tunneled
packet) starts with IP header.
IP Defragmentation
IP fragments will be parsed, be reassembled by defragmentation process and fed back to the
parser starting with IP header. A fragment may be discarded due to tear-drop attack (overlapping
fragments).
Layer3
IPv4
unicast
Inspect
and
forward
Inspect
and
forward
IP limited
broadcast
drop
IP directed
broadcast
drop
Layer 2
Multicast
firewalling on
IPv6firewalling
on
Tap
Inspect
and
forward
Inspect and
forward
Inspect and
forward
Inspect and
drop
forward
( flood)
forward
Inspect and
forward
forward
drop
forward
( flood)
forward
Inspect and
forward
forward
drop
Default
Page 6
Layer3
Martian
address
drop
drop
drop
IPv6
drop
forward
Non-IP
process if
applicable
forward
Layer 2
IPv6firewalling
on
Tap
drop
drop
drop
forward
Inspect if
IPv6
firewalling
is on
Inspect and
forward
drop
forward
forward
forward
drop
Default
Multicast
firewalling on
If the packet is subject to firewall inspection, flow lookup is performed on the packet. A firewall
session consists of two unidirectional flows each uniquely identified by 6-tuple key. In PAN-OS
implementation a flow is uniquely identified using a 6-tuple key.
Source and destination addresses: IP addresses from the IP packet.
Source and destination ports: Port numbers from TCP/UDP protocol headers. For
non-TCP/UDP, different field from protocols are used. For ICMP, ICMP identifier and
sequence numbers are used, for IPSec SPI is used to identify the flow and GRE call ID
is used for PPTP.
Protocol: The IP protocol number from the IP header is used to derive the flow key
Security zone: This field is derived from the ingress interface at which a packet
arrives.
Active flows are stored in the flow lookup table. When a packet is determined to be eligible for
firewall inspection, the 6-tuple flow key is extracted from the packet and flow lookup is performed to
match the packet with an existing flow. Each flow has a client and server component, where client
is sender of the first packet of the session from firewall perspective, and server is receiver of this
very first packet.
Note: The distinction of client and server is from the firewalls point of view and may or may not be
the same from the end hosts point of view.
Based on above definition of client and server there will be a client-to-server (C2S) and server-toclient (S2C) flow , where all client-to-server packets should contains same key as that of C2S flow,
and so on for S2C flow.
Page 7
The seed to encode cookie is generated each time dataplane boots up via random number
generator
If an ACK packet received from the client does not match cookie encoding, it treats the
packet as non-SYN and discards the packet.
A session that passes SYN cookies process are subject to TCP sequence number
translation as firewall acted as proxy for TCP 3-way handshake.
Note:
I.
II.
The firewall can be configured to allow the first TCP packet even if it does not have
SYN bit set. Even though this is not a recommended setting, scenarios with
asymmetric flow will require this
It is recommended to have firewall set to reject TCP non-SYN when SYN cookies are
enabled.
Forwarding setup
This stage determines packet forwarding path. Packet forwarding depends on the way firewall
interface is configured. The table below summarizes packet forwarding behavior.
Interface Mode
Forwarding action
Tap
Egress interface/zone is the same ingress interface/zone. The packet is
discarded
Virtual Wire
Egress interface is the peer interface configured in the virtual wire
Layer 2
Egress interface for the destination MAC is retrieved from the MAC
table. If the information is not present the frame is flooded to all interface
except the ingress interface in the VLAN
Layer 3
Route table lookup is used to determine the next hop
Page 8
User ID
If the user information is not available for the IP address, and the packet is destined to TCP/80, a
captive portal rule lookup is checked to see if the packet is subject to captive portal authentication.
If captive portal is applicable, the packet is redirected to the captive portal daemon
Session allocation
A new session entry from the free pool will be allocated once all of the above steps are
successfully completed. Session allocation failure may occur at this point due to resource
constraint
Session content will be filled with flow keys extracted from packet and forwarding/policy
results
Session state changes from INIT (pre-allocation) to OPENING (post-allocation)
If the application has not identified, the session timeout value is set to default value of the
transport protocol
Page 9
If the session is in discard state, then the packet will be discarded. A session can be
marked as discard state due to a policy action change to deny, or a threat detected.
If the session is active, refresh session timeout
If the packet is a TCP FIN/RST, the session timeout is changed to timeout-tcpwait value
If NAT is applicable, translate the L3/L4 header if applicable.
A packet matching an existing session is subject to layer7 processing if any of the following,
condition matches.
If a application uses TCP as transport, it will be processed by TCP reassembly module before
stream data is fed to layer7 module. TCP reassembly module will also perform window check,
buffer out-of-order data and skip TCP retransmission.
Page 10
Summary
Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel
Processing (SP3) Architecture which enables high-throughput, low-latency network security, even
while incorporating unprecedented features and technology. Palo Alto Networks solves the
performance problems that plague todays security infrastructure with the SP3 architecture, which
combines two complementary components-Single Pass software, Parallel Processing hardware.
The results is the perfect mix of raw throughput, transaction processing and network security that
todays high performance networks require.
Page 11