Support for IP fragmentation in active/active HA deployments
10729
Created On 04/07/20 23:42 PM - Last Modified 04/27/20 20:46 PM
Question
Can the Palo Alto Networks firewall running in High Availability Active/Active mode reassemble IP fragments if some fragments are received on Firewall A and some other fragments (of the same packet) are received on Firewall B?
Environment
- PAN-OS 8.1 and above.
- Palo Alto Firewalls.
- High Availability configuration in Active/Active.
- Asymmetric routing on the local network results in IP fragment #1 sent to Firewall A and fragment #2 sent to Firewall B.
Answer
- No, a single firewall must receive all fragments of a packet in order to re-assemble and inspect the packet
- If IP fragments are received on two different firewalls they will be dropped
- Packet captures in rx stage on both firewalls in active/active displays fragment #1 received on Firewall A and fragment #2 received on Firewall B
- Counters will show fragments received but will not show the drop:
> show counter global filter packet-filter yes delta yes
Global counters:
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_ipfrag_recv 8 1 info flow ipfrag IP fragments received
flow_ipfrag_query 4 0 info flow ipfrag IP fragments owner query
flow_ipfrag_pkt 4 0 info flow ipfrag packets held by IP fragmentation
flow_ipfrag_entry_alloc 4 0 info flow ipfrag IP fragment entry allocated
- There is currently no workaround on the firewall for this situation. The behavior cannot be modified.
- Avoid network designs which would result in IP fragments being received asymmetrically on two firewalls