Saucepan

User Tools

Site Tools

Trace: firewall_resources multi_vsys vpn disk_space oracle firewall-hardware multicast credential_phishing_prevention aws aws_transit_gateway
paloaltonetworks:configuration:multicast

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:multicast [2022/08/01 11:05] bstaffordpaloaltonetworks:configuration:multicast [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 7: Line 7:
   * 224.0.0.0/4 - Multicast IP Range   * 224.0.0.0/4 - Multicast IP Range
     * 224.0.0.0/24 - Link Local multicast     * 224.0.0.0/24 - Link Local multicast
 +      * 224.0.0.5 OSPF - to send information to all OSPF routers
 +      * 224.0.0.6 OSPF - to send information to DR/BDR routers. 
       * 224.0.0.13 PIMv2       * 224.0.0.13 PIMv2
       * 224.0.0.18 VRRP       * 224.0.0.18 VRRP
       * 224.0.0.22 IGMPv3       * 224.0.0.22 IGMPv3
 +      * 224.0.0.251 mDNS (udp5353)
     * 224.0.1.0/24 - Reserved for specific applications     * 224.0.1.0/24 - Reserved for specific applications
     * 232.0.0.0/8 - Source Specific Multicast (SSM)     * 232.0.0.0/8 - Source Specific Multicast (SSM)
     * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918     * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918
 +The IPv4 multicast addresses used for OSPF are 
  
 When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation. When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation.
Line 21: Line 24:
  
 ===== VWire ===== ===== VWire =====
-Multicast traffic will only be visible in the traffic logs if you tick "Multicast Firewalling" on the Virtual Wire options. The source and destination zones are the vwire source and destination zone. (i.e. it doesn't use the 'multicast' zone).+Multicast traffic will only be visible in the traffic logs if you tick "Multicast Firewalling" on the Virtual Wire options. The source and destination zones are the vwire source and destination zone. (i.e. it doesn't use the 'multicast' zone). If you don't tick "Multicast Firewalling", multicast traffic will still flow through the Vwire but there will be no logs. 
 +===== VLAN Insertion ===== 
 +This is where VLAN interfaces are used to insert the firewall into a single subnet where we can't change the endpoint IP addresses but we can cause the traffic to flow through the firewalls. 
 +  * Multicast does work through VLAN insertion.  
 +  * The Multicast traffic (while passing through the firewall) does not generate any traffic logs. 
 +  * I did a packet capture. There are four stages to PCAP on Palo 
 +    * drop stage is where packets get discarded. The reasons may vary and, for this part, the global counters may help identify if the drop was due to a policy deny, a detected threat, or something else. 
 +    * receive stage captures the packets as they ingress the firewall before they go into the firewall engine. When NAT is configured, these packets will be pre-NAT. 
 +    * transmit stage captures packets how they egress out of the firewall engine. If NAT is configured, these will be post-NAT. 
 +    * firewall stage captures packets in the firewall stage. 
 +  * I noticed that I didn’t get anything in the ‘firewall’ filter but I did get captures in drop, receive and transmit. 
 +  * I saw that I got four packets in receive, four in drop and twelve in transmit. 
 +  * In my lab I had four interfaces in the VLAN insertion. My assumption is that the twelve transmit packets were the four packets received being forwarded on from the receiving interface to the other three interfaces. 
 + 
 + 
 +**However** 
 + 
 +You can enforce Multicast traffic rules. 
 +  * Select a free IP address on the subnet being segmented. 
 +  * Create a blank virtual router. 
 +  * Create a Layer3 security zone. 
 +  * Create a VLAN Interface (Network > Interfaces > VLAN). Set the VLAN to be the same VLAN that the Layer2 interfaces are assigned to. Set the Virtual Router you just created. Select the layer 3 security zone you created. 
 +  * Create a security policy that allows the Layer3 security zone to the "multicast" zone (drop down list in destination zone in security policy rule). 
 +  * On the new virtual router in the Multicast settings configure 
 +    * Rendezvous Point Tab (without this config, there will be no logs) 
 +      * Enable - True 
 +      * RP Type - Static 
 +      * RP Interface - <VLAN Interface> 
 +      * RP Address - <IP of VLAN Interface> 
 +      * Group List - IP of Multicast Group. You should be able to put any multicast Ip here. So long as one is listed, the firewall will still capture all multicast traffic. 
 +      * Interfaces Tab (without this config, there will be no logs) 
 +        * Add a group 
 +          * Add the Vlan Interface. You do not need to add Group Permissions and you can disabled IGMP and PIM 
 +  * Commit. 
 + 
 +Check that the multicast traffic is now appearing in the logs (**NOTE**: You will also see BROADCAST traffic for the subnet from the Layer3 zone to the Layer3 zone and broadcast IP). If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic. 
 + 
 +  * show routing multicast fib 
 +  * show routing multicast route source 234.5.6.7 
 +  * show routing multicast igmp membership interface vlan.11 
 +  * show routing multicast route virtual-router vr1
 ===== Lab ===== ===== Lab =====
  
paloaltonetworks/configuration/multicast.1659351949.txt.gz · Last modified: (external edit)