Palo Alto VPN passthrough

[Garrett McManaway <garrett.mcmanaway () WAYNE EDU>]

All,

We recently upgraded our Palo Alto firewalls to the 5250 series and are running into an issue with WiFi calling for 
various cell providers. It took us a while to figure this out as it was working in part of our wireless network 
(public) and not in the other parts (secure). The difference was we are NATing the working SSID but not the SSID that 
was not working. Because of the NAT the VPN connection that the phones making wireless calls were getting encapsulated 
in UDP going out to the carrier networks, where with the non-NATed traffic it does not.

We were eventually able to determine is the 5200 and 7000 series firewalls from Palo Alto handles state full 
connections for ESP differently in the higherend hardware for performance reasons. In essence pass-through VPN requires 
both an inbound and outbound rule for the ESP traffic. This would normally be fine for point-to-point VPNs as both 
sides of a VPN are typically know entities but with the VPN being used for the WiFi calling those IPs are numerous. 
What we have done as work around is identify those IPs for the major providers and created a rule to allow inbound ESP 
traffic but there are still many we are missing, especially from non-US providers.

What Palo Alto suggest is just allowing ESP into the network from everywhere and that approach has been taken by other 
Universities. We are also being told there is not enough demand for this to address it as a product enhancement.

I am curious if anyone else has ran into this and if so what are they doing? And if you are seeing this issue could I 
include your organizations name in my ongoing attempt to convince Palo Alto this is not just a WSU problem.


Garrett McManaway
CISO & Sr. Director
C&IT - Information Security and Compliance
Wayne State University
Phone: 313-577-3454