An L3 Zone is a logical security boundary where:
Interfaces have IP addresses
Traffic is routed (Layer 3)
Security policies are enforced based on source zone → destination zone
Routing decides the path. Zones decide the permission.
Let’s break this L3 Zone Packet Flow in a very practical layer by layer, using ONE clear example.
We’ll assume this environment:
User-Zone: 10.10.X.X
App-Zone: 10.20.X.X
DB-Zone: 10.30.X.X
Firewall is a Palo Alto Networks Next-Generation Firewall (Layer 3 mode)
🔥 SCENARIO
User PC: 10.10.X.X
App Server: 10.20.X.X
Service: HTTPS (TCP 443)
User opens browser → accesses:
https://10.20.X.X�
Now let’s follow the packet inside the firewall.
STEP-BY-STEP PACKET FLOW (Deep Explanation)
🟢 STEP 1 — Packet Creation (Inside User PC)
Layer 7 – Application
User types URL → Browser creates HTTPS request
Layer 4 – Transport
Protocol: TCP
Source Port: Random (e.g., 49500)
Destination Port: 443
Layer 3 – Network
Source IP: 10.10.X.X
Destination IP: 10.20.X.X
Layer 2 – Data Link
Source MAC: User PC
Destination MAC: Firewall (User Zone interface)
Layer 1 – Physical
Bits sent as electrical signals to firewall
🟢 STEP 2 — Packet Enters Firewall (Ingress)
Packet enters L3 interface:
Interface: ethernet1/1
Zone: User-Zone
IP: 10.10.X.X
Firewall actions:
✔ Strip L2 header
✔ Check destination IP
✔ Identify ingress interface
✔ Map interface → Source Zone
Source Zone = User-Zone
🟢 STEP 3 — Routing Decision (L3 Lookup)
Firewall checks routing table
Destination: 10.20.X.X
Route: 10.20.X.X/X → ethernet1/2
Egress Interface = ethernet1/2
Destination Zone = App-Zone
Flow: User-Zone → App-Zone
🟢 STEP 4 — Security Policy Evaluation
Checks:
Source Zone: User-Zone
Destination Zone: App-Zone
Source IP: 10.10.X.X
Destination IP: 10.20.X.X
Service: tcp/443
Example rule:
User-Zone → App-Zone
App: ssl
Service: application-default
Action: Allow
Match → Continue
No match → ❌ Drop
🟢 STEP 5 — App-ID Identification (Layer 7)
Even if the port changes to 4443, the firewall:
• Inspects payload
• Identifies SSL handshake
• Confirms HTTPS
Doesn’t trust ports — verifies application.
Prevents:
Port hopping
Tunneling
Fake services
🟢 STEP 6 — Threat Inspection (Security Profiles)
Packet inspected by:
✔ IPS
✔ Antivirus
✔ URL Filtering
✔ Anti-Spyware
✔ File Blocking
Scans for:
Malware
Exploits
Suspicious behavior
Threat → Drop
Clean → Continue
🟢 STEP 7 — Session Creation
Session Table Entry:
10.10.X.X:49500 → 10.20.X.X:443
State: SYN_SENT
Zone: User → App
Future packets use a fast path (no full policy lookup).
🟢 STEP 8 — Packet Forwarded (Egress)
Firewall:
• Rebuilds L2 header
• Source MAC = Firewall App-Zone
• Destination MAC = App Server
• Sends via ethernet/2
Packet reaches App Server.
No comments:
Post a Comment