User Laptop: 10.10.X.X (Trust zone)
Destination: https://example.com (4.4.x.x : TCP 443)
Firewall: Palo Alto
๐ฆ 1️⃣ Packet ENTERS the Firewall (Ingress)
๐น Packet reaches the physical interface as electrical/optical signals
๐น Firewall reads Layer 2, 3, and 4 headers:
MAC address, VLAN
Source & destination IP
TCP ports and flags
๐น Basic checks are done:
Invalid MAC/IP?
Bad checksum?
TTL expired?
Malformed packet?
If anything is wrong → packet dropped
If OK → move forward
Packet data and metadata are temporarily stored in RAM
2️⃣ Session Setup (Slow Path – First Packet Only)
This happens only for the very first packet of a connection.
๐น Firewall performs routing lookup
Decides outgoing interface & zone
๐ Trust → Untrust
๐น NAT policy lookup
Example:
10.10.X.X → 203.0.X.X (Public IP)
NAT mapping saved in memory
๐น Security policy lookup (initial)
At this point, the application is still UNKNOWN
Policy is matched using zones, IPs, and port (443)
No allow rule → DROP
Allow rule → continue
3️⃣ Session Creation (Very Important)
Firewall now creates a session entry in fast memory.
Session stores:
Source & destination IP
Ports
Zones
NAT information
Policy rule ID
TCP state & timers
This is why Palo Alto is a stateful firewall
4️⃣ Fast Path Processing (All Next Packets)
From now on, the firewall becomes very fast ⚡
๐น Every packet first checks the session table
No full policy lookup again
No routing decision again
๐น Firewall only validates:
TCP sequence numbers
TCP flags
Session timeout
If valid → continue
If invalid → drop
5️⃣ Application Identification (App-ID)
This is where Palo Alto becomes Next-Generation ๐ฅ
๐น Firewall analyzes packet behavior and payload
๐น Identifies real application:
SSL
web-browsing (later)
๐น Security policy is re-evaluated using the real application, not just port numbers
App-ID signatures are loaded from disk and cached in memory
6️⃣ Content Inspection (SP3 Engine)
๐ฅ Core strength of Palo Alto ๐ฅ
๐น Packet is decoded only once ๐น Multiple engines work in parallel:
App-ID
IPS (Threat-ID)
Antivirus
Anti-Spyware
URL Filtering
WildFire
๐น If SSL Decryption is enabled:
Traffic is decrypted
Inspected
Re-encrypted
If threat found → block / reset / log
If clean → allow
Logs are written to disk (SSD)
7️⃣ Forwarding & Egress
๐น Firewall forwards packet using routing / switching / vwire logic
๐น Packet is transmitted out of the firewall
No comments:
Post a Comment