Thursday, February 21, 2019

Need help tracing a suspicious stream of packets through a Palo Alto firewall. How did these things get onto my network, where did they come from and what are they doing?

tl;dr - Packets from a private address range that doesn't exist in our org are continually trying to get to our DCs on TCP 389 . How to get a better idea of where they're coming from and why?

My org uses a 10.0.0.0/8 internal addressing scheme, with the second octet indicating location, third indicating department, etc. Pretty common.

I was looking at logs from our internal Server segment firewall earlier today, and I noticed a stream of packets from the 192.168.0.0/16 range trying to get to our Domain Controllers on TCP 389 (I assume LDAP). My server firewall is dropping them because I don't have a rule configured for that address range, but I was confused as to how those packets got onto our network and why they're aiming for our DCs.

I traced the packets back to our edge Palo Alto firewalls, and specifically to to one of the Tunnel interfaces. This specific tunnel interface is used for our Global Protect gateway, but all of the DHCP addresses for our Global Protect clients are given out in the 10.x.<department VLAN>.x range. Yet all these packets have source IPs in the 192.168.0.0/16 range. There's no other information in the firewall logs about which user it might be coming from. See the show session id example below.

What's my next step in troubleshooting this? These packets are being dropped by our internal firewall and no one is complaining about anything not working, but I can't help but be confused as to where they came from and what they're trying to do.

Here's an example of one of the many sessions that I've seen like this, taken from my edge firewall which let it through.

Session 235688 c2s flow: source: 192.168.1.103 [Zone_L3_Global Protect] dst: 10.-.-.- (one of our DCs) proto: 6 sport: 55158 dport: 389 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 10.-.-.- (one of our DCs) [Inside_Routed] dst: 192.168.1.103 proto: 6 sport: 389 dport: 55158 state: INIT type: FLOW src user: unknown dst user: unknown pbf rule: ISP Failover rule 11 start time : Thu Feb 21 16:48:42 2019 timeout : 5 sec total byte count(c2s) : 62 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys1 application : incomplete rule : Global Protect to any session to be logged at end : True session in session ager : False session updated by HA peer : False layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : True captive portal session : False ingress interface : tunnel.1 egress interface : ae1 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out 


No comments:

Post a Comment