Tag Archives: Zone Protection

It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

ICMP/ICMPv6, Palo Alto Networks, , , , , , , ,

The other day, I was troubleshooting an issue where users reported that “some websites are working while some are not“. Uh. This is almost the worst scenario to face from a networker’s perspective. It’s way easier if things do or don’t work at all, but not this “some don’t” situation.

The scenario: Using Zscaler for outbound Internet connections, connected via a GRE tunnel from a Palo Alto Networks firewall. TL;DR: If it’s not DNS, it’s MTU. 😂 The “Suppress ICMP Frag Needed” option within the ICMP Drop section of the Zone Protection Profile did what it is meant to do: block “ICMP fragmentation needed” messages. Unfortunately, this killed *some* sessions which had the “Don’t fragment” bit set but exceeded the (lower) MTU of the GRE tunnel.

Continue reading It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

PAN: Logging of Packet-Based Attack Protection Events e.g. Spoofed IP

Palo Alto Networks, , , ,

I just had a hard time figuring out that a network routing setup was not working due to a correctly enforced IP Spoofing protection on a Palo Alto Networks firewall. Why was it a hard time? Because I did not catch that the IP spoofing protection kicked in since there were no logs. And since we do log *everything*, a non-existent log means nothing happened, right? Uhm, not in this case. Luckily, you can (SHOULD!) enable an additional thread log on the Palo firewall.

Continue reading PAN: Logging of Packet-Based Attack Protection Events e.g. Spoofed IP