How to mitigate an abnormal increase in "flow_policy_nofwd" global counter
Objective
- To mitigate an abnormal increase in flow_policy_nofwd global counter.
> show counter global filter delta yes flow_policy_nofwd x y drop flow session Session setup: no destination zone from forwarding -
This counter generally increments when firewall is unable to find the egress interface for either a session setup or during forwarding. Some of the conditions where this counter would get increment are as follows (either for original IP or for the NAT'd IP) :
- Packet matched a PBF rule with next hop as discard.
- No route found for the destination IP.
- Discard route found for the destination IP.
- Egress interface is invalid.
- Ingress interface type is not among Tap, vwire, Layer2, or Layer3.
- IPv6 multicast packet is too big (in this case, another counter flow_ip6_mcast_pbf_drop would also increment).
- For versions 9.1 and above, the SD-WAN member interface is not available (in which case, another counter flow_sdwan_no_if_qualified will also increment).
- In an L2 domain, the destination MAC lookup failed, i.e., DMAC not found in the MAC lookup table.
Environment
- Palo Alto Networks Firewall
- Supported PAN-OS
- Routing table
- flow_policy_nofwd global counter
Procedure
- Review the configuration of the interfaces and ensure that they are configured with the correct type and are part of the correct forwarding entity: For example, for a Layer3 interface, ensure that it is part of the correct Virtual Router, for Virtual Wire interface, ensure that it is part of the correct Virtual Wire.
- Review the Policy Based Forwarding PBF rules and ensure that they are correctly defined. Navigate to POLICIES > Policy Based Forwarding in the UI. Look for any PBF rules with a discard action and ensure their validity.
- Review the routing configuration of the network and the firewall:
- To check the routing table use the CLI command:
show routing route
Ensure that the routes are properly configured for the packets to reach their destinations. Add or correct any missing or incorrect routes in the routing table. - To check the forwarding table use the CLI command:
show routing fib
Ensure that the routing protocols are updated and reviewed to prevent any misconfiguration.
- To check the routing table use the CLI command:
- In a Layer 2 domain, inspect the MAC address table, using the CLI command:
show mac all
and check if any entry is missing or is incorrect. - Check the traffic logs and search for the traffic that is being dropped by the firewall. Navigate to MONITOR > Traffic in the UI.
- Identify if a misconfigured security policy is dropping the packet. Adjust security policies to ensure proper traffic flow between zones.
- If the firewall is sending a packet through a tunnel ensure that the destination interface on the firewall is placed in the same virtual router as the tunnel interface.
- Once the source IP, destination IP, or application of the dropped traffic are identified perform a filtered packet capture which will help define the dropped traffic and apply the proper remediation.
Additional Information
Refer to below knowledge base article for specific used cases:
Unable to reach specific destination/subnet within AWS
Unable to reach specific destination/subnet within Azure
Other useful articles:
How to mitigate an abnormal increase in "flow_fwd_notopology" global counter.
How to check global counters for a specific source and destination IP address.
How to Display Interface MAC Addresses.
MAC Address Table learned by Palo Alto
What Happens If an Interface in Layer 2 Mode Receives a Packet with Unknown MAC Address?