Palo Alto Networks Protocols Defined

I have to often do validation on rules set created on a Palo Alto firewall, now if you’ve done this you’ll know there’s a specific requirement to define which protocol to test against. Generally you’ll use UDP or TCP, and ICMP if needing to validate ping rules.

However PAN uses numbers and the provided direct KB from them does not define them all (1-255). So googling I found a nice simplified post by Kerry Cordero on his site here. Where he got this info from I’m not certain, he did not reference any PAN KB’s or anything. For prosperity of the internet I have quotes his list as it was on his site.

Many Thanks to Kerry for this work on this.

“Protocol Options:
When it comes to the protocol #, you have several options to choose from like:

TCP = 6
UDP = 17
ICMP = 1
ESP = 50

Below is a full list of options you can use.

Decimal	Keyword	Protocol	IPv6 Extension Header	Reference
0	HOPOPT	IPv6 Hop-by-Hop Option	Y	[RFC8200]
1	ICMP	Internet Control Message		[RFC792]
2	IGMP	Internet Group Management		[RFC1112]
3	GGP	Gateway-to-Gateway		[RFC823]
4	IPv4	IPv4 encapsulation		[RFC2003]
5	ST	Stream		[RFC1190][RFC1819]
6	TCP	Transmission Control		[RFC793]
7	CBT	CBT		[Tony_Ballardie]
8	EGP	Exterior Gateway Protocol		[RFC888][David_Mills]
9	IGP	any private interior gateway (used by Cisco for their IGRP)		[Internet_Assigned_Numbers_Authority]
10	BBN-RCC-MON	BBN RCC Monitoring		[Steve_Chipman]
11	NVP-II	Network Voice Protocol		[RFC741][Steve_Casner]
12	PUP	PUP		[Boggs, D., J. Shoch, E. Taft, and R. Metcalfe, “PUP: An Internetwork Architecture”, XEROX Palo Alto Research Center, CSL-79-10, July 1979; also in IEEE Transactions on Communication, Volume COM-28, Number 4, April 1980.][[XEROX]]
13	ARGUS (deprecated)	ARGUS		[Robert_W_Scheifler]
14	EMCON	EMCON		[<mystery contact>]
15	XNET	Cross Net Debugger		[Haverty, J., “XNET Formats for Internet Protocol Version 4”, IEN 158, October 1980.][Jack_Haverty]
16	CHAOS	Chaos		[J_Noel_Chiappa]
17	UDP	User Datagram		[RFC768][Jon_Postel]
18	MUX	Multiplexing		[Cohen, D. and J. Postel, “Multiplexing Protocol”, IEN 90, USC/Information Sciences Institute, May 1979.][Jon_Postel]
19	DCN-MEAS	DCN Measurement Subsystems		[David_Mills]
20	HMP	Host Monitoring		[RFC869][Bob_Hinden]
21	PRM	Packet Radio Measurement		[Zaw_Sing_Su]
22	XNS-IDP	XEROX NS IDP		[“The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification”, AA-K759B-TK, Digital Equipment Corporation, Maynard, MA. Also as: “The Ethernet – A Local Area Network”, Version 1.0, Digital Equipment Corporation, Intel Corporation, Xerox Corporation, September 1980. And: “The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specifications”, Digital, Intel and Xerox, November 1982. And: XEROX, “The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification”, X3T51/80-50, Xerox Corporation, Stamford, CT., October 1980.][[XEROX]]
23	TRUNK-1	Trunk-1		[Barry_Boehm]
24	TRUNK-2	Trunk-2		[Barry_Boehm]
25	LEAF-1	Leaf-1		[Barry_Boehm]
26	LEAF-2	Leaf-2		[Barry_Boehm]
27	RDP	Reliable Data Protocol		[RFC908][Bob_Hinden]
28	IRTP	Internet Reliable Transaction		[RFC938][Trudy_Miller]
29	ISO-TP4	ISO Transport Protocol Class 4		[RFC905][<mystery contact>]
30	NETBLT	Bulk Data Transfer Protocol		[RFC969][David_Clark]
31	MFE-NSP	MFE Network Services Protocol		[Shuttleworth, B., “A Documentary of MFENet, a National Computer Network”, UCRL-52317, Lawrence Livermore Labs, Livermore, California, June 1977.][Barry_Howard]
32	MERIT-INP	MERIT Internodal Protocol		[Hans_Werner_Braun]
33	DCCP	Datagram Congestion Control Protocol		[RFC4340]
34	3PC	Third Party Connect Protocol		[Stuart_A_Friedberg]
35	IDPR	Inter-Domain Policy Routing Protocol		[Martha_Steenstrup]
36	XTP	XTP		[Greg_Chesson]
37	DDP	Datagram Delivery Protocol		[Wesley_Craig]
38	IDPR-CMTP	IDPR Control Message Transport Proto		[Martha_Steenstrup]
39	TP++	TP++ Transport Protocol		[Dirk_Fromhein]
40	IL	IL Transport Protocol		[Dave_Presotto]
41	IPv6	IPv6 encapsulation		[RFC2473]
42	SDRP	Source Demand Routing Protocol		[Deborah_Estrin]
43	IPv6-Route	Routing Header for IPv6	Y	[Steve_Deering]
44	IPv6-Frag	Fragment Header for IPv6	Y	[Steve_Deering]
45	IDRP	Inter-Domain Routing Protocol		[Sue_Hares]
46	RSVP	Reservation Protocol		[RFC2205][RFC3209][Bob_Braden]
47	GRE	Generic Routing Encapsulation		[RFC2784][Tony_Li]
48	DSR	Dynamic Source Routing Protocol		[RFC4728]
49	BNA	BNA		[Gary Salamon]
50	ESP	Encap Security Payload	Y	[RFC4303]
51	AH	Authentication Header	Y	[RFC4302]
52	I-NLSP	Integrated Net Layer Security TUBA		[K_Robert_Glenn]
53	SWIPE (deprecated)	IP with Encryption		[John_Ioannidis]
54	NARP	NBMA Address Resolution Protocol		[RFC1735]
55	MOBILE	IP Mobility		[Charlie_Perkins]
56	TLSP	Transport Layer Security Protocol using Kryptonet key management		[Christer_Oberg]
57	SKIP	SKIP		[Tom_Markson]
58	IPv6-ICMP	ICMP for IPv6		[RFC8200]
59	IPv6-NoNxt	No Next Header for IPv6		[RFC8200]
60	IPv6-Opts	Destination Options for IPv6	Y	[RFC8200]
61		any host internal protocol		[Internet_Assigned_Numbers_Authority]
62	CFTP	CFTP		[Forsdick, H., “CFTP”, Network Message, Bolt Beranek and Newman, January 1982.][Harry_Forsdick]
63		any local network		[Internet_Assigned_Numbers_Authority]
64	SAT-EXPAK	SATNET and Backroom EXPAK		[Steven_Blumenthal]
65	KRYPTOLAN	Kryptolan		[Paul Liu]
66	RVD	MIT Remote Virtual Disk Protocol		[Michael_Greenwald]
67	IPPC	Internet Pluribus Packet Core		[Steven_Blumenthal]
68		any distributed file system		[Internet_Assigned_Numbers_Authority]
69	SAT-MON	SATNET Monitoring		[Steven_Blumenthal]
70	VISA	VISA Protocol		[Gene_Tsudik]
71	IPCV	Internet Packet Core Utility		[Steven_Blumenthal]
72	CPNX	Computer Protocol Network Executive		[David Mittnacht]
73	CPHB	Computer Protocol Heart Beat		[David Mittnacht]
74	WSN	Wang Span Network		[Victor Dafoulas]
75	PVP	Packet Video Protocol		[Steve_Casner]
76	BR-SAT-MON	Backroom SATNET Monitoring		[Steven_Blumenthal]
77	SUN-ND	SUN ND PROTOCOL-Temporary		[William_Melohn]
78	WB-MON	WIDEBAND Monitoring		[Steven_Blumenthal]
79	WB-EXPAK	WIDEBAND EXPAK		[Steven_Blumenthal]
80	ISO-IP	ISO Internet Protocol		[Marshall_T_Rose]
81	VMTP	VMTP		[Dave_Cheriton]
82	SECURE-VMTP	SECURE-VMTP		[Dave_Cheriton]
83	VINES	VINES		[Brian Horn]
84	TTP	Transaction Transport Protocol		[Jim_Stevens]
84	IPTM	Internet Protocol Traffic Manager		[Jim_Stevens]
85	NSFNET-IGP	NSFNET-IGP		[Hans_Werner_Braun]
86	DGP	Dissimilar Gateway Protocol		[M/A-COM Government Systems, “Dissimilar Gateway Protocol Specification, Draft Version”, Contract no. CS901145, November 16, 1987.][Mike_Little]
87	TCF	TCF		[Guillermo_A_Loyola]
88	EIGRP	EIGRP		[RFC7868]
89	OSPFIGP	OSPFIGP		[RFC1583][RFC2328][RFC5340][John_Moy]
90	Sprite-RPC	Sprite RPC Protocol		[Welch, B., “The Sprite Remote Procedure Call System”, Technical Report, UCB/Computer Science Dept., 86/302, University of California at Berkeley, June 1986.][Bruce Willins]
91	LARP	Locus Address Resolution Protocol		[Brian Horn]
92	MTP	Multicast Transport Protocol		[Susie_Armstrong]
93	AX.25	AX.25 Frames		[Brian_Kantor]
94	IPIP	IP-within-IP Encapsulation Protocol		[John_Ioannidis]
95	MICP (deprecated)	Mobile Internetworking Control Pro.		[John_Ioannidis]
96	SCC-SP	Semaphore Communications Sec. Pro.		[Howard_Hart]
97	ETHERIP	Ethernet-within-IP Encapsulation		[RFC3378]
98	ENCAP	Encapsulation Header		[RFC1241][Robert_Woodburn]
99		any private encryption scheme		[Internet_Assigned_Numbers_Authority]
100	GMTP	GMTP		[[RXB5]]
101	IFMP	Ipsilon Flow Management Protocol		[Bob_Hinden][November 1995, 1997.]
102	PNNI	PNNI over IP		[Ross_Callon]
103	PIM	Protocol Independent Multicast		[RFC7761][Dino_Farinacci]
104	ARIS	ARIS		[Nancy_Feldman]
105	SCPS	SCPS		[Robert_Durst]
106	QNX	QNX		[Michael_Hunter]
107	A/N	Active Networks		[Bob_Braden]
108	IPComp	IP Payload Compression Protocol		[RFC2393]
109	SNP	Sitara Networks Protocol		[Manickam_R_Sridhar]
110	Compaq-Peer	Compaq Peer Protocol		[Victor_Volpe]
111	IPX-in-IP	IPX in IP		[CJ_Lee]
112	VRRP	Virtual Router Redundancy Protocol		[RFC5798]
113	PGM	PGM Reliable Transport Protocol		[Tony_Speakman]
114		any 0-hop protocol		[Internet_Assigned_Numbers_Authority]
115	L2TP	Layer Two Tunneling Protocol		[RFC3931][Bernard_Aboba]
116	DDX	D-II Data Exchange (DDX)		[John_Worley]
117	IATP	Interactive Agent Transfer Protocol		[John_Murphy]
118	STP	Schedule Transfer Protocol		[Jean_Michel_Pittet]
119	SRP	SpectraLink Radio Protocol		[Mark_Hamilton]
120	UTI	UTI		[Peter_Lothberg]
121	SMP	Simple Message Protocol		[Leif_Ekblad]
122	SM (deprecated)	Simple Multicast Protocol		[Jon_Crowcroft][draft-perlman-simple-multicast]
123	PTP	Performance Transparency Protocol		[Michael_Welzl]
124	ISIS over IPv4			[Tony_Przygienda]
125	FIRE			[Criag_Partridge]
126	CRTP	Combat Radio Transport Protocol		[Robert_Sautter]
127	CRUDP	Combat Radio User Datagram		[Robert_Sautter]
128	SSCOPMCE			[Kurt_Waber]
129	IPLT			[[Hollbach]]
130	SPS	Secure Packet Shield		[Bill_McIntosh]
131	PIPE	Private IP Encapsulation within IP		[Bernhard_Petri]
132	SCTP	Stream Control Transmission Protocol		[Randall_R_Stewart]
133	FC	Fibre Channel		[Murali_Rajagopal][RFC6172]
134	RSVP-E2E-IGNORE			[RFC3175]
135	Mobility Header		Y	[RFC6275]
136	UDPLite			[RFC3828]
137	MPLS-in-IP			[RFC4023]
138	manet	MANET Protocols		[RFC5498]
139	HIP	Host Identity Protocol	Y	[RFC7401]
140	Shim6	Shim6 Protocol	Y	[RFC5533]
141	WESP	Wrapped Encapsulating Security Payload		[RFC5840]
142	ROHC	Robust Header Compression		[RFC5858]
143	Ethernet	Ethernet		[RFC8986]
144-252		Unassigned		[Internet_Assigned_Numbers_Authority]
253		Use for experimentation and testing	Y	[RFC3692]
254		Use for experimentation and testing	Y	[RFC3692]
255	Reserved			[Internet_Assigned_Numbers_Authority]

“

February 8, 2021

Palo Alto Networks – Service Routes

The Story

You can read about Service routes from PAN directly here.

Basically … “The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services. The path from the interface to the service on a server is known as a service route. The service packets exit the firewall on the port assigned for the external service and the server sends its response to the configured source interface and source IP address.”

This is generally used if you configure the firewall, but don’t actually happen to physically plug anything into the MGMT port of the Firewall (MGMT on Physical or VNIC0 on VMs). However the device does have a internet connection, or has some interface on the dataplane that has access to a specific service. Whatever the need may be they can be useful to know they exist and can be utilized for certain situations.

When I discussed this with a friend who deploys many of these devices, it was opted to use the MGMT interface for most things. I did note one case such as Email, where you could configure the service route for that via the gateway interface for the mail server, thus only require one IP in the ACLs of the mail relay/server.

He did note that you could not test email from the passive firewall, as the interface won’t be active. Which could be problematic for other monitoring services such as SNMP, if utilized. Which was noted. Luckily many different services (SNMP/Email/LDAP) can be configured independently and all default to the MGMT interface.

Summary

The main reason I even noticed this was due to email not working on the alternative firewall after it took over from a failover, even though the dashboard on both firewall stated the running configs are both the same. Well it turns out that service routes I guess are not tested for synchronization between peers.

So yeah… not that if you are using Service Routes with PAN firewalls.

January 6, 2021

Palo Alto Networks – Email

Story

Well back to work, so what other than another story of fun times troubleshooting what should be a super simple task. When I was hit with a delayed greyed out screen on the management UI and the subsequent error.

“Unable to send email via gateway (email server IP)”

The

Hunt

Let’s see if others have hit this problem:

First ones a dead end.

Second and Third basically state to ensure legit email addresses are applied to both to and addition to fields. My case I know the only one email to address is fine.

And finally the How to By Palo Alto Networks themselves.

Well that’s annoying, bascially tell you to ensure the email server is accessible but they do so from other devices cause the PA can’t even do a telnet test… uhh ok useless, I know it’s open.

Things to Know

I had contacted my buddy who specializes in PA firewalls. There are some things to note.

Service Routing
By default all traffic from the firewall, will go out the MGMT interface. Unless otherwise specified. In my case I was using a Service Route for Email to use the interface that was acting as the gateway for the subnet in which the email server was residing.
Intrazone and Interzone Rules
By default if traffic doesn’t hit any rule it will be dropped, watch the video by Joe Delio for greater in-depth understanding.

The Solution

Now even though I had a “clean up” rule as stated by Joe. I was still not seeing the traffic being blocked (and I know it was being blocked).

Once my buddy told me to override the intrazone rule and enabled logging on that rule, I was finally able to see the packets being dropped by the PAN firewall within the Traffic Logs/Session Logs.

Sure enough it was my own mistake as I had forgot to extent an existing rule which should have had the PAN’s gateway IP within it. After I noticed this I extended the rule to allow SMTP port 25 from the PA IP (not the mgmt IP) I was able to send emails from the PAN firewall.

Hope this helps someone.

Also note I ensured a dedicated receive connector on the email server to ensure the email would be allowed to flow though.

February 21, 2019

Lets Encrypt HTTP Validation
And the Palo Alto Firewall

The Story

This…… this one…. this one drove me NUTS! for almost a week…. it was a lil mix of a perfect storm I guess… but lets start from the beginning shall we..

So a couple weeks ago i wanted to get active sync setup for my exchange server (Checking OWA sucks)… so I was sought after OPNsense for my open source firewall of choice.

I started following this German blog post, and I hope to have that blog post up very soon as well (sorry I don’t usually get hung up like this).

My setup was pretty much exactly the same however I was getting hung up on the plugin not validating my scripts over HTTP. See the full pain details here on github, anyway, I did finally manage to get my OPNsense server behind the NAT rule to finally succeeded behind my Palo Alto Firewall (by basically opening up the rule way more then I ever wanted to) so I knew! I knew it was the Palo Alto blocking still somehow… but how I couldn’t make sense so I wasn’t sure how to create my Security rule.

First try

My first try was exactly like the github issue describes, was failing on domain key creation, this failed even on my OPNsense with a Public IP and all rules exactly as the OPNsense basic guide states to set it up.

When Neilpang (the main script writer/contributor) said ti was fixed and no commit was applied, I tried again and it worked, I can only assume this was due to the fact DNS may not have replicated to the external DNS servers lets encrypt servers are configured to use when I first made my attempts at a cert validation.

That didnt’ explain why every attempt behind my Palo Alto with a NAT and security rule would fail…

The Palo Alto

I love these things, but they can also be very finicky. to verify my rule I had used my IIS Core VM (That I’ve used in previous posts on how to manage Windows Server Core) along with the HAProxy plugin on OPNsense to basically move the requests from the NAT rule of the Palo Alto but really serve up the IIS website of my IIS server. Not to my amazement, but sure enough I was able to access the IIS website from the internet, so my security rules and nat rules on the Palo ALto are working fine, as well as the security rules on the OPNsense server…. so what gives? Why are these HTTP Validation requests failing??

Again, as stated above I knew it was the Palo Alto from opening up the rule completely and it working, but I figured it was the issue even before I did that… but opening up the security rule completely is not the answer here… like it works but its far to insecure…

So I managed to talk to a friend of mine who happens to be realllllly good at deploying Palo Alto as he does it for a living. I basically describe my issue to him, and ask him if there’s anything he can think of that might be a problem. (I’ll hopefully be having a couple more Palo Alto blog posts as soon as I can get my proper licensed VM) To my actual amazement he goes on about this one setting you can use inside security rules and about a story about when it caused him grief…. go figure, he’s experienced it all!

What was it?!?!?!

Alright so here’s my rule I intially had, which was causing failures of the let’s encrypt OPNsense plugin…

AS you can see nothing really special, until he told me about… PAN DSRI or Palo Alto’s Disable Server Response Inspection you can check the link for more details. Now the funny part is that post covers better performance…. in my case, it was simply needed to work! And all it was, was a checkbox….

once that checkbox was selected, the rule adds a icon to it.

I was able to click Issue certificates on the OPNsense Lets Encrypt plugin, and I got some certs! I’m ready to now add the Let’s Encrypt HAProxy plugin integration and set these certificates for backend services… like my ActiveSync… or OWA… Ohhh exciting stuff!

Man that feels good to finally have that sorted! Wooooo!