Explicit Deny Policy Allows Some Traffic To Leak
19232
Created On 09/24/20 21:44 PM - Last Modified 02/03/21 03:54 AM
Symptom
- A firewall is configured with a security rule that explicitly denies traffic to certain destinations. In the illustration below, traffic to example.com is being denied:
GUI: Policies > Security
- However, a sniffer capture indicates that traffic to this destination is being allowed:
- Traffic logs further confirm that packets to the destination are hitting the configured security:
GUI: Monitor > Traffic
Environment
- Any PAN-OS
- Palo Alto Firewalls (Both VM and Hardware)
- Authentication Policies (Captive Portal) configured.
- Security Policies configured.
Cause
Whenever an authentication policy is configured on the firewall and there is a traffic match on that policy, some of the traffic is allowed through regardless of the policy action set for that traffic.
This is because authentication is decoupled from authorization. The first clue of this is from the traffic logs shown above with 'Session End Reason' of 'auth-policy-redirect' for the first traffic.
The preceding traffic ends with 'policy-deny.'
Once the 3-way handshake completes, the endpoint sends an HTTP-GET (for HTTP traffic) or Server Hello (in the case of HTTPS) which is allowed (as depicted in the earlier sniffer capture.) The host is then redirected to the captive portal for authentication:
Sniffer trace for HTTPS:
The server certificate from the capture is that of Captive Portal indicating that the user is being redirected to authenticate. For HTTP queries, the redirection looks different and is more obvious. Frame 23 in the screenshot below illustrates this:
Sniffer trace for HTTP:
The security policy action is not applied until after the user authenticates. Once the user authenticates, the traffic is denied or blocked.
Resolution
The solution to this is to exclude denied traffic from authentication policies. Note that there is rarely any use-case that requires traffic authentication for traffic that is denied by policy. This results in inefficient use of processor cycle depending on the scale/amount of traffic being authenticated and subsequently denied.