An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
The correct packet-flow sequence is PBF (Policy-Based Forwarding) > Static route > Security policy enforcement. Policy-Based Forwarding is used to make routing decisions based on policies rather than routing tables, which means it takes precedence over static routes. Once the forwarding decision is made, static routes are evaluated. Finally, security policies are enforced to manage the traffic flow according to the defined rules.
Seems like A based on this image https://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRzCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 Under Slowpath(session setup stage) PBF, then static routes and then policy enforment.
A. Remember the process of the flow is RNR - Routing, NAT, Rights (Security Policy).
answer is A
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
Based on the two references from DrNick0 and nose999 : A makes sense as PBF will overrule routing and security policy comes after forwarding (route) lookup B doesn't make sense as PBF comes before route lookup C doesn't make sense as zone protection comes before PBF D doesn't make sense as NAT comes after route lookup
I'm voting for A.
I get this 2 weeks ago
https://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
This is the least wrong answer
I believe the answer is A
I believe A is correct. Routing lookup happens during the session setup, at the egress stage it only refers to the lookup that was done during the session setup stage. For D, although NAT is applied before the security policy enforcement, the routing lookup is not done at the egress stage so OSPF after security policy enforcement wont be a correct sequence.
Routing happens before security's enforcement so not D B is wrong would be right if PBF is before BGP I believe it would be like this: NAT > PBF > FIB > security enforcement closest match is A
Agree with Takum. From that article(https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0): SECTION 2: INGRESS STAGE 2.1 PACKET PARSING 2.2 TUNNEL DECAPSULATION 2.3 IP DEFRAGMENTATION SECTION 3: FIREWALL SESSION LOOKUP 3.1. ZONE PROTECTION CHECKS 3.2. TCP STATE CHECK 3.3. FORWARDING SETUP 3.4. NAT POLICY LOOKUP <<<<<<<NAT 3.5. USER- ID 3.6. DOS PROTECTION POLICY LOOKUP 3.7. SECURITY POLICY LOOKUP <<<<<<<<<Security policy 3.8. SESSION ALLOCATION SECTION 4: FIREWALL SESSION FAST PATH SECURITY PROCESSING CAPTIVE PORTAL SECTION 5: APPLICATION IDENTIFICATION (APP - ID) SECTION 6: CONTENT INSPECTION SECTION 7: FORWARDING/EGRESS <<<<<<OSPF
Routing happens at 3.3, not section 7
thats NAT lookup not applying NAT same for security its lookup also then applied later
Should be A. D should be incorrect, because NAT happens after security policy enforcement.