Why are Rules Denying Applications Allowing Some Packets?

Why are Rules Denying Applications Allowing Some Packets?

49959
Created On 09/25/18 20:36 PM - Last Modified 05/31/23 21:42 PM


Resolution


Symptoms

Sessions associated with an application-based deny rule show some packets transmitted/received.

 

Issue

When the Palo Alto Networks firewall rules are evaluated, the security policy is evaluated two times:

  1. Checking the packet against the rule set if the application was set to ANY
  2. Checking the packet against the rule set once the application has been identified

Because the application is not necessarily known in the first packets, it can take several packets to determine what the underlying application is. During this evaluation period, packets may be allowed through unless there is a rule which would deny the traffic irrespective of the application (such as denying a destination URL/IP, port number, user, etc.). When the application is determined, if a rule does not permit that application and other aspects of that session, that packet and future packets in that active session will be denied (dropped).

 

Resolution

This is expected behavior. The issue is caused by the firewall not relying on ports only, it determines the underlying application.

 

owner: gwesson
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliLCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language