www.imedita.
com
PAN-OS Packet Flow Sequence PAN-OS 7.0.2 & Later
1. The packet is reached at the ingress interface.
2. Layer 2 protocol violation is checked (example 802.1q tag, and destination MAC, Error
Detection).
3. Layer 3 protocol IPv4/IPv6 violation is checked (example TTL, Protocol No.L3 Checksum).
4. Layer 4 protocol TCP/UDP violation is checked.
5. The firewall performs decapsulation/decryption at this stage, if the firewall determines that
it matches a tunnel, i.e. IPSec, SSL-VPN with SSL.
6. The firewall reassembles IP fragments, using the defragmentation process, if packet is
fragmented.
7. The firewall performs session lookup for the packet.
8. The firewall performs zone protection profiles.
9. The firewall performs TCP State Check, If the first packet in a session is a TCP packet and it
does not have the SYN bit set, the firewall discards it (default).
10. The Firewall performs/ determines the packet-forwarding path. For Layer – 2, Egress
interface for the destination MAC is retrieved from the MAC table. If the information is not
present, the frame is flooded to all interfaces in the associated VLAN broadcast domain,
except for the ingress interface. For Layer – 3, The firewall uses the route lookup table to
determine the next hop, or discards the packet if there is no match.
11. The firewall performs NAT Policy Lookup, first destination NAT, second source NAT is done.
12. The firewall performs USER-ID Lookup User-IP mapping table Lookup.
13. The firewall performs policy checks of the DoS (Denial of Service) protection policy.
14. The firewall performs policy checks of the Security policy Lookup.
15. The firewall create/allocate a new session/connection.
16. A packet that matches an existing session will enter the Fast Path. This stage starts with Layer-2 to
Layer-4 firewall processing:
If the session is in discard state, then the firewall discards the packet.
If the session is active, refresh session timeout.
If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet
received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet or
RST packet. The session is closed as soon as either of these timers expire.
If NAT is applicable, translate the L3/L4 header as applicable.
17. A packet matching an existing session is subject to further Security-Processing (application
identification and/or content inspection) if packet has TCP/UDP data (payload), or it is a non-TCP/UDP
packet. If the firewall does not detect the session application, it performs an App-ID lookup.
18. The firewall performs a Captive Portal rule lookup to see if the packet is subject to captive portal
authentication.
19. The firewall performs App-ID, The firewall first performs an application-override policy lookup to see if
there is a rule match. If there is, the application is known and content inspection is skipped for this
session. If there is no application-override rule, then application signatures are used to identify the
application. The firewall uses protocol decoding in the content inspection stage to determine if an
application changes from one application to another. After the firewall identifies the session application,
access control, content inspection, traffic management and logging will be setup as configured.
Security policy lookup: The identified application as well as IP/port/protocol/zone/user/URL category in
the session is used as key to find rule match.
If the security policy has logging enabled at session start, the firewall generates a traffic log, each time
the App-ID changes throughout the life of the session.
If security policy action is set to allow and it has associated profile and/or application is subject to
content inspection, then it passes all content through Content-ID .
If security policy action is set to allow, the firewall performs a QoS policy lookup and assigns a QoS
class based on the matching policy .
If security policy action is set to allow and the application is SSL or SSH, perform a decryption policy
lookup and set up proxy contexts if there is a matching decryption rule .
20. The firewall performs Content Inspection, if applicable, where protocol decoders’ decode the flow and
the firewall parses and identifies known tunnelling applications (those that routinely carry other
applications like web-browsing).
If the identified application changes due to this, the firewall consults the security policies once again to
determine if the session should be permitted to continue.
www.imedita.com
�www.imedita.com
If the application does not change, the firewall inspects the content as per all the security profiles
attached to the original matching rule. If it results in threat detection, then the corresponding security
profile action is taken.
The firewall forwards the packet to the forwarding stage if one of the conditions hold true:,
If inspection results in a ‘detection’ and security profile action is set to allow, or
Content inspection returns no ‘detection’.
The firewall then re-encrypts the packet before entering the forwarding stage, if applicable (SSL forward
proxy decryption and SSH decryption).
21. The firewall identifies a forwarding domain for the packet, based on the forwarding setup.
22. The firewall performs QoS shaping as applicable in the egress process. Also, based on the MTU of the
egress interface and the fragment bit settings on the packet, the firewall carries out fragmentation if
needed.
23. If the egress interface is a tunnel interface, then IPSec/SSL-VPN tunnel encryption is performed and
packet forwarding is re-evaluated.
24. Finally the packet is transmitted out of the physical egress interface.
25. Palo Alto Networks next-generation firewalls use a unique Single Pass Parallel Processing (SP3)
Architecture – which enables high-throughput, low-latency network security.
Information Source is Palo Alto Knowledge Base:-
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
www.imedita.com
