Network Broadcasts (.255) Being Dropped
18195
Created On 03/18/19 16:38 PM - Last Modified 07/10/20 02:23 AM
Symptom
The firewall is dropping the network broadcast ending in "255".
Environment
PAN-OS all
Cause
From the firewall perspective, our traffic is nothing special from src 192.168.0.11, with destination IP of the target host's directed-broadcast address dst 192.168.0.255 port 137; and assuming it matches a permit policy, the packet should be forwarded. However, a problem arises where the target host is in the same subnet as the firewall. This stems from the manner in which PanOS treats network addresses.
PanOS does not restrict the use of the 'network' and 'broadcast' addresses as valid host addresses (for example, in a typical /24 subnet range the .0 and .255 addresses are normally not permitted, but PanOS allows these and treats them no differently to any other host in the range). Therefore, when the firewall receives a packet destined to the directed-broadcast address, there is no automatic mapping to the broadcast MAC address. Assuming the packet is permitted by policy, the firewall will send out an ARP-Request for the target IP, but of course no host will respond and the packet will be dropped.
Resolution
There are 2 options:
- Create a drop rule for it. You can set it up for logging first just to make sure the traffic and the rule is working properly. Then we could disable the logging to free up resources for logging
- A static ARP entry is required to map the directed-broadcast IP to the intended broadcast MAC address.
How to configure Static ARP:
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Static-ARP-on-the-Palo-Alto-Networks-Firewall/ta-p/59758
This would be just to reduce ARP processing and preclude man-in-the-middle attacks for the specified addresses (broadcast).
The MAC interface that you use is the L3 interface being affected. You would do this only for the interfaces experiencing the issue.