topic Permit statement isn't capturing all the traffic in Next-Generation Firewall Discussions

Permit statement isn't capturing all the traffic

abaskerville — Fri, 17 Jun 2022 17:18:21 GMT

We have a school tied to our organization that's using a PA-850 and is running 10.1.6, and we're trying to get Battle.net working. After considerable troubleshooting, I put in a rule at the very top to permit the "zESports" zone to get to any IP on any zone. See the eSport_to_all_rule image. For some reason, some packets completely bypass this rule and makes their way to the very last rule, which is the interzone-default. This rule resets both ends of the connection, and it's shown in the eSports_reset-both image below.

eSport_to_all_rule

eSports_reset-both

Most of the packets between the two hosts traverse just fine, but the resets come generally after a GET request. I'm not seeing the destination IP in any of the logs, outside of the Traffic log. Does anyone have an idea? Thanks

Re: Permit statement isn't capturing all the traffic

Adrian_Jensen — Fri, 17 Jun 2022 18:09:48 GMT

Not seeing the images, you put them on OneDrive or something... need to post them here.

By default, the intrazone-default and interzone-default rules do not log traffic. Select each from the Security rule list and then click the "Override" button in the bottom task bar and you can then enable logging on the rule. You may also want to enable both start and end logging for the defaults and your special rule. The 2 Traffic log entries may then tell you something about the traffic being identified initially under one rule and then being reclassified to a different rule later.

It is important to remember that the PA doesn't work on top-down processing like a traditional firewall, it works on most-specific-match processing. So if the detected category/application/etc. changes as the PA processes more and more packets in the stream, it may suddenly jump to a different Security rule.

Re: Permit statement isn't capturing all the traffic

abaskerville — Fri, 17 Jun 2022 18:55:10 GMT

intrazone-default was configured to log traffic, so we do see it. We just got it fixed - the application was set to 'any' but the service was set to 'application-default.' Changing the latter to 'any' fixed the problem.

Thanks for your time on this, and I'm selecting your response as the answer as it describes the behavior we were seeing.

Re: Permit statement isn't capturing all the traffic

Adrian_Jensen — Fri, 17 Jun 2022 20:50:32 GMT

Ah yes... I have been bit by the any/application-default as well when I had a "deny all" rule with logging and yet some traffic was still making it to the intra/interzone-default rules (before I learned how to enable logging there). I should have thought of that initially.