Network technologies and trends

Feb 26 2016   4:28PM GMT

Palo Alto Firewall with PAN-OS 7.02 have issues with OSPF

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
firewall
OSPF
Palo Alto Networks
router

When it comes to Palo Alto Networks Firewall, we all know PAN-OS 6.x is a quite stable version, Palo Alto announced PAN-OS version 7 almost 8 months back,  but I see very few people are using this version of PAN-OS.

Those who are considering  a migration from PAN-OS 6.x to PAN-OS 7.x  they need to  be very careful as some interesting issues might occur. Recently I did tried a migration from 6.1.7  > 7.0.2 and finally planned to migrate to PAN-OS 7.0.4 but ended up with some issues, which forced me to revert back to the old version of PAN-OS 6.1.7.

There are some bugs in PAN-OS 7.0.2 which are not yet reported by Palo Alto neither in their website nor their TAC team is aware of.  One such bug or an issue is related to OSPF.

One should never consider to use  Palo Alto Firewall with PAN-OS 7.x  as an ABR . As Palo Alto never forms an adjacency with its neighbors in non 0 Area, the  Palo Alto Firewall gets struck in Exchange state with its neighbor and it never goes into two way or full OSPF state.  Even if you restart the OSPF process nothing changes, the firewall always struck in the exchange state. Interestingly it was forming an Adjacency with an Area 0 router.

Palo Alto - ABR OSPF

From the above scenario, Palo Alto Firewall with PAN-OS 7.0.2 will never form’s an OSPF  adjacency with its peer router R3 in Area 5 unless you downgrade the  PAN-OS of the Palo Alto Firewall to 6.x.  However you would notice with the same PAN-OS version 7.0.2 the Palo Alto Firewall will form an OSPF adjacency with R1 which is in Area 0.

So far I didn’t found a fix for this issue , the only way I could use Palo Alto Firewall as an ABR is to downgrade the Palo Alto Firewall to PAN-OS  6.1.7. Hopefully Palo Alto comes out with a solution for this issue.

4  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • bjdraw
    Attempted to upgrade to 7.0.7 and found the OSPF adjacency go down. Rolling back to 6.1.10 resolved the issue. I plan to open a case with support, thanks for posting this.
    20 pointsBadges:
    report
  • Yasir Irfan
    Hi are you using ZPP if so disable fragmentation 
    7,330 pointsBadges:
    report
  • bjdraw
    Yes, and I have "fragmented traffic" checked on the TCP/IP Drop tab. I'll try that, thanks.
    20 pointsBadges:
    report
  • zeboalfgang
    we've had the same issue and here is Palo Alto's response: 

    two firewall interfaces in the same zone are connected to the L2 switch and have DNAT IP configured. The FW transmits out the GARP for the DNAT IP on one of the interfaces and receives back the sent GARP frames on the other interface(issue introduced in 7.x code version and fixed in 7.0.6). This will create network connectivity issue that impact unicast communication between ospf peers.

    Bassically the layer 2 switch that connects the ospf peers will learn the mac address of the interface on a wrong port and create intermittent conectivity.

    Next steps:

    1) confirm the above possible root cause: provide more information about topology used. Is the interface used for ospf connected via a layer 2 domain with another firewall interface?

    2) resolve the problem via one of the following options:

    - upgrade to 7.0.6 build which contains the following fix. FW will drop the frames from an ARP packet if the SRC MAC is one of FW interface MAC addresses.

    - one the layer 2 switch use two different vlans, one for each interface configured on Firewall. In this way the GARP packets will not reach the other interface.

    85110 Fixed an issue where the firewall sent gratuitous ARP (GARP) packets for an interface IP address used in a destination NAT rule from all interfaces in the zone where that interface belonged. With this fix, the GARP packets are sent only from the interface that owns the IP address.

    Software 7.0.6 was released and contains the fix for this issue. As I observed the "Received conflicting ARP on interface" message the unicast can be broken(in our particular case the DBD ospf packets).

    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: