Incorrect Source IP seen for inbound traffic on the CN-Series Firewall

Incorrect Source IP seen for inbound traffic on the CN-Series Firewall

7458
Created On 01/31/23 22:16 PM - Last Modified 07/12/23 01:05 AM


Symptom


The session details on the management plane for the load balancer (inbound) traffic shows the node/ pan-cni IP address as the source address instead of the original IP address of the client.
Session Details

kubectl get nodes -o wide command output showing the node IP addresses
Node Details

Environment


 
 Platform CN-Series
 Deployment CNv1, CNv2
 PAN-OS Any

Cause


The Kuberntes LoadBalancer service is configured with the default value Cluster for the spec externalTrafficPolicy that obscures the client source IP.

Resolution


In order to see the original client IP address on the traffic logs, the .spec.externalTrafficPolicy need to be set to Local instead of Cluster.
Describe Service Output

Session details after changing the .spec.externalTrafficPolicy to Local
Session Details

Additional Information


  • Cluster  obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.
  • Local  preserves the client source IP and avoids a second hop for LoadBalancer and NodePort type Services, but risks potentially imbalanced traffic spreading.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGk3CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language