02-13-2024 03:08 AM
I'm working on business unit segmentation projects so I have to identify rules affecting specific subnets and build a new policy. The policies are normally several thousand rules and sometimes over 15 thousand rules so the "Affects the IP" filter comes in very handy however I've noticed some behaviors which don't seem correct or maybe I'm not understanding the filter is intended to function.
As an example, If I'm searching for a larger CIDR block e.g. /16 it doesn't match /17 which falls inside of that /16. A filter on /17 doesn't match /18 or /19 but matches all other CIDRs down to /32. /18 doesn't match /19 but matches all others and a filter for /19 doesn't match /20 - /25 but it matches /26 down to /32. When filtering for a /20 it doesn't match /21 - /25 but does match smaller than /25. And so on with filter /21, it doesn't match /22 - /25 but matches remaining smaller CIDR. Once you get down to filtering on /24 it goes back to not matching the next smaller CIDR but matches all others with /29 being the exception. /29 doesn't match /30 or /31 but does match the host address.
There are only a few patterns which stand out to me. In most cases the next smaller CIDR isn't matched when it starts with the same 4 octets except for /17 not matching /18 and 19 and once the filtered CIDR is smaller than /25.
We found a type of work around in adding another filter using OR operator and starting or ending IP for the CIDR block being searched. I've added the table below to try and help explain. Sorry for the long post just not easy to explain the behavior.
| Affects the IP(s) in destination | No rule match |
| 10.38.0.0/16 | /17 |
| 10.38.0.0/17 | /18 or 19 |
| 10.38.64.0/18 | /19 |
| 10.38.96.0/19 | /20, 21, 22, 23, 24, 25 |
| 10.38.96.0/20 | /21, 22, 23, 24, 25 |
| 10.38.96.0/21 | /22, 23, 24, 25 |
| 10.38.96.0/22 | /23, 24, 25 |
| 10.38.96.0/23 | /24, 25 |
| 10.38.96.0/24 | /25 |
| 10.38.96.0/25 | /26 |
| 10.38.96.64/26 | /27 |
| 10.38.96.64/27 | /28 |
| 10.38.96.80/28 | /29 |
| 10.38.96.80/29 | /30 or /31 |
| 10.38.96.84/30 | /31 |
| 10.38.96.86/31 | /32 |
02-23-2024 04:14 AM
Thank you for contacting us and reporting your finding.
I will conduct further investigation in my lab using test projects. However, it would be greatly appreciated if you could share an export of your Expedition project by opening a TAC case and sending it to fwmigrate@paloaltonetworks.com.
Your cooperation is highly valued.
Best regards, David
02-23-2024 05:56 AM
I have a project where I built the rules with relevant address objects so I can reproduce the issue so this policy would not be installed on a Palo firewall. Can I just use any Palo firewall serial number on our contract to open this case and then upload this test project?
02-23-2024 09:27 AM
Yes, use any serial. In the ticket please add a reference that it is only required for sharing files purposes and it could be closed.
Send the TAC case number to fwmigrate@paloaltonetworks.com.
Thanks in advance!
David
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
