topic Re: Security Policy Filter - Affects the IP(s) in Expedition Discussions

Security Policy Filter - Affects the IP(s)

ChristopherMarston — Tue, 13 Feb 2024 11:08:38 GMT

I'm working on business unit segmentation projects so I have to identify rules affecting specific subnets and build a new policy. The policies are normally several thousand rules and sometimes over 15 thousand rules so the "Affects the IP" filter comes in very handy however I've noticed some behaviors which don't seem correct or maybe I'm not understanding the filter is intended to function.

As an example, If I'm searching for a larger CIDR block e.g. /16 it doesn't match /17 which falls inside of that /16. A filter on /17 doesn't match /18 or /19 but matches all other CIDRs down to /32. /18 doesn't match /19 but matches all others and a filter for /19 doesn't match /20 - /25 but it matches /26 down to /32. When filtering for a /20 it doesn't match /21 - /25 but does match smaller than /25. And so on with filter /21, it doesn't match /22 - /25 but matches remaining smaller CIDR. Once you get down to filtering on /24 it goes back to not matching the next smaller CIDR but matches all others with /29 being the exception. /29 doesn't match /30 or /31 but does match the host address.

There are only a few patterns which stand out to me. In most cases the next smaller CIDR isn't matched when it starts with the same 4 octets except for /17 not matching /18 and 19 and once the filtered CIDR is smaller than /25.

We found a type of work around in adding another filter using OR operator and starting or ending IP for the CIDR block being searched. I've added the table below to try and help explain. Sorry for the long post just not easy to explain the behavior.

Affects the IP(s) in destination	No rule match
10.38.0.0/16	/17
10.38.0.0/17	/18 or 19
10.38.64.0/18	/19
10.38.96.0/19	/20, 21, 22, 23, 24, 25
10.38.96.0/20	/21, 22, 23, 24, 25
10.38.96.0/21	/22, 23, 24, 25
10.38.96.0/22	/23, 24, 25
10.38.96.0/23	/24, 25
10.38.96.0/24	/25
10.38.96.0/25	/26
10.38.96.64/26	/27
10.38.96.64/27	/28
10.38.96.80/28	/29
10.38.96.80/29	/30 or /31
10.38.96.84/30	/31
10.38.96.86/31	/32

Re: Security Policy Filter - Affects the IP(s)

dpuigdomenec — Fri, 23 Feb 2024 12:14:25 GMT

Hi @ChristopherMarston

Thank you for contacting us and reporting your finding.

I will conduct further investigation in my lab using test projects. However, it would be greatly appreciated if you could share an export of your Expedition project by opening a TAC case and sending it to fwmigrate@paloaltonetworks.com.

Your cooperation is highly valued.

Best regards, David

Re: Security Policy Filter - Affects the IP(s)

ChristopherMarston — Fri, 23 Feb 2024 13:56:46 GMT

I have a project where I built the rules with relevant address objects so I can reproduce the issue so this policy would not be installed on a Palo firewall. Can I just use any Palo firewall serial number on our contract to open this case and then upload this test project?

Re: Security Policy Filter - Affects the IP(s)

dpuigdomenec — Fri, 23 Feb 2024 17:27:17 GMT

Hi @ChristopherMarston

Yes, use any serial. In the ticket please add a reference that it is only required for sharing files purposes and it could be closed.

Send the TAC case number to fwmigrate@paloaltonetworks.com.

Thanks in advance!

David