Educause Security Discussion mailing list archives
Palo Alto VPN passthrough
From: Garrett McManaway <garrett.mcmanaway () WAYNE EDU>
Date: Thu, 11 Jul 2019 19:16:29 +0000
All, We recently upgraded our Palo Alto firewalls to the 5250 series and are running into an issue with WiFi calling for various cell providers. It took us a while to figure this out as it was working in part of our wireless network (public) and not in the other parts (secure). The difference was we are NATing the working SSID but not the SSID that was not working. Because of the NAT the VPN connection that the phones making wireless calls were getting encapsulated in UDP going out to the carrier networks, where with the non-NATed traffic it does not. We were eventually able to determine is the 5200 and 7000 series firewalls from Palo Alto handles state full connections for ESP differently in the higherend hardware for performance reasons. In essence pass-through VPN requires both an inbound and outbound rule for the ESP traffic. This would normally be fine for point-to-point VPNs as both sides of a VPN are typically know entities but with the VPN being used for the WiFi calling those IPs are numerous. What we have done as work around is identify those IPs for the major providers and created a rule to allow inbound ESP traffic but there are still many we are missing, especially from non-US providers. What Palo Alto suggest is just allowing ESP into the network from everywhere and that approach has been taken by other Universities. We are also being told there is not enough demand for this to address it as a product enhancement. I am curious if anyone else has ran into this and if so what are they doing? And if you are seeing this issue could I include your organizations name in my ongoing attempt to convince Palo Alto this is not just a WSU problem. Garrett McManaway CISO & Sr. Director C&IT - Information Security and Compliance Wayne State University Phone: 313-577-3454
Current thread:
- Palo Alto VPN passthrough Garrett McManaway (Jul 11)
- <Possible follow-ups>
- Re: Palo Alto VPN passthrough Chris Brizzell (Jul 12)