Starting with PANOS 11.0 is the ability to use Zone protection profiles to inspect Layer 3 and Layer 4 header information in packets arriving at the ingress zone,
Palo Alto firewalls control traffic using Zones and the ability to stop traffic before it passes through the ingress Zone further secures the environment as the packets never even get parsed or evaluated by the firewall.
Zero-Trust security models demand that no traffic that is not sanctioned be dropped and not permitted to traverse the network at all,
Layer 3 and Layer 4 header inspection and control provides this control.
Although there are some limitations to the amount of zones that can have Layer 3 and Layer 4 inspection enabled, this remains a very useful feature in the new PANOS versions.
Please see our new video on configuring Layer 3 and Layer 4 header inspection in zone management profiles
Issues / Considerations
While configuring this we did observe the following things of note,
- Initial configuration was very easy, for once the admin guide has it fairly well documented.
- Logs are sent to the Threat log and are a little confusing my opinion but I am sure they have a reason, as can be noted in the video, if the action for the signature is DROP then the action in the log is drop, if however the action is RESET the log action displays as alert, which I personally find a little confusing.
- There is a limitation to the amount of zones that can have the L3 and L4 inspection enabled, although at the time of writing I can find no documentation as to what those limitations are but I suspect they will differ per platform.
