Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Paloalto generator should correctly support other protocols than TCP/UDP and ICMP/ICMPv6 #273

Open
abhindes opened this issue May 12, 2021 · 0 comments
Open

Paloalto generator should correctly support other protocols than TCP/UDP and ICMP/ICMPv6 #273

abhindes opened this issue May 12, 2021 · 0 comments
Labels
generator: palo alto Priority-Low

Comments

@abhindes
Copy link
Collaborator

TCP, UDP, ICMP, ICMPv6 are supported correctly in the generator - TCP/UDP as services. ICMP/ICMPv6 as custom ip-protocol applications.
GRE and SCTP are currently implemented as in-built PANOS applications. This needs to be changed, since Capirca is vendor-neutral native L3/L4 filtering, and does not rely on ALG/App-ID (in PANOS) capabilities, since they are L7 based filtering.

The way to support GRE/SCTP (and other future protocols) is to create a custom ip-protocol application the way it is created for ICMP/ICMPv6.

When these protocols (say GRE) are present with TCP/UDP, it may be necessary to split them into separate rules to ensure correct translation of intent. One rule for TCP/UDP as services (which has application "any"), and another rule for the custom GRE ip-protocol application.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
generator: palo alto Priority-Low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abhindes