How to Log Denied Packets on Palo Alto Firewall


Palo Alto firewalls have recently featured in Gartner Report as a next generation firewall and they are getting popular at a very rapid pace. The core feature of a Palo Alto Firewall is its ability to detect and recognize applications. This allows administrators to define rules sets and filtering based on applications rather than traditional method of restricting TCP or UDP port numbers as with what Gartner calls first generation firewalls.

Palo Alto Firewall is also a Unified Threat Management gateway device that combines multiple features in a single box. These features include Antivirus, Anti Spyware, Vulnerability Protection, File blocking, Data Protection, Denial of service protection and URL Filtering through Brightcloud.

With all these advanced features it is also important to understand and find out what is being blocked by the firewall. Without this visibility it is difficult to provision, migrate and seamlessly integrate the services through this firewall because the way data is filtered is different from a traditional firewall. By having a realtime knowledge on whats being blocked through the firewall, administrators can make changes on the fly and cut migration times.

The simple way to have visibility on denied packets is to configure a default deny access rule at the end of your rule set under Policies Tab if configuring through graphical user interface of the Palo Alto firewall. If administrators are looking to monitor all traffic passing through the firewall they should put any to any rule and default action as block.

Now with the above action, administrators will also notice that traffic between the same security zone are getting dropped as well due to the above any to any rule. This should ideally be addressed as well, as it will potentially drop locally generated traffic. To resolve this issue, administrators can simply add an explicit allow statement for each security zone. For example if administrators have configured a security zone called “Inside”. There needs to be an allow statement for traffic to pass through from source zone as “Inside” and destination zone as “Inside”. This rule should be places above the default deny rule kept at the bottom of the rule set. Similar rules needs to be created for every security zone that is dropping traffic between itself.

Although it is not mandatory for administrators to have all explicit allow and default deny statements in their rule base but it definitely make their tasks easier at managing this next generation firewall.


Source by Amit D Jain