EtherIP protocol packets may cause resource utilisation on PANW next generation firewalls
15933
Created On 09/19/22 15:17 PM - Last Modified 06/28/23 09:25 AM
Symptom
EtherIP protocol (IP protocol 97) tunnels Ethernet and IEEE 802.3 media access control frames in IP datagrams so that non-IP traffic can traverse an IP internet. The protocol is very lightweight, and it does not provide protection against infinite loops.
Despite it is usually used to carry encrypted data, the traffic may traverse PANW next generation firewalls as per the network topology in place. High volume of EtherIP traffic may cause resource utilisation.
Environment
Any PANW next generation firewall
Any PanOS version
Cause
We come across with EtherIP traffic mostly in WLAN infrastructures where it is used to carry traffic between WLAN controllers and/or access points. The traffic sourced from/destined to several internal subnets may be carried via a single EtherIP tunnel.
Due to high volume of packets hitting the same "session" record on the firewall the resources on the firewall may be utilised. The hardware models which have network(offload) processor will not be able to offload the EtherIP traffic due to the nature of the protocol.
The network processor sends a message to the data planes along with the EtherIP packet. On the data plane flow_fpga_rcv_igr_PROTO will increase by each packet.
> show counter global filter delta yes ... flow_fpga_rcv_igr_PROTO 4176134021 2502 info flow offload FPGA IGR Exception: PROTO
Resolution
If the EtherIP traffic should be allowed on the firewall:
- etherip app-id should be used in a security policy to allow the traffic.
- If the volume of the traffic and the utilisation is high it is advised to remove the EtherIP traffic from the firewall.
If the EtherIP traffic should be blocked on the firewall:
- If the volume is low then a security policy with etherip app-id can be used to deny the traffic.
- If the volume is high then Zone and/or DoS Protection policies can be used to drop the packets at an early stage of packet processing.
An application override policy with a custom application would not be possible for etherip. Application override is only possible for TCP and UDP.
Additional Information
Link to EtherIP RFC:
https://www.rfc-editor.org/rfc/rfc3378
An article about the packet processing stages on PANW next generation firewalls:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWFCA0
Public document related to application override:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-application-override
Public document related to Zone and DoS Protection:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection