How to block GRE completely

How to block GRE completely

26204
Created On 09/25/18 17:41 PM - Last Modified 10/17/25 13:29 PM


Objective


Symptoms

Created security to block  GRE Protocol with action deny, but when we look at the traffic logs, GRE still appears to be permitted by later rules.

Diagnosis

  • Blocking only GRE may not stop the GRE application from pass through the firewall. 
  • Also block PPTP along with GRE to block GRE completely.

Environment


  • Palo Alto Networks Firewall

 

Procedure


Generic Routing Encapsulation (GRE) is a tunneling protocol designed to encapsulate a wide variety of network layer packets inside IP tunneling packets. The original packet is the payload for the final packet. The protocol is used on the Internet to secure virtual private networks.

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets

If you will only block GRE the GRE sessions will be allowed by some of the policy below GRE block policy because of the Point-to-Point Tunneling Protocol (PPTP) Traffic logs will show that GRE has been allowed by passing the block rule.

So, to complete block GRE protocol, create a policy blocking the below two applications and clear the existing sessions.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHvCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language