https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/558490#M1866 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/301972">@EmmanB-NC</a>&nbsp;,</P> <P>&nbsp;</P> <P>Because that FQDN destination is changing IP every few seconds I believe you might be hitting the following issue:<BR /><STRONG><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POKhCAO" target="_blank" rel="noopener">Using FQDN address object with dynamic IP for Policies</A>&nbsp;</STRONG></P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Tue, 19 Sep 2023 06:53:47 GMT kiwi 2023-09-19T06:53:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/555066#M1763 <P>Firewall is skipping policy when the traffic has&nbsp;<STRONG>smtp-base port 587</STRONG>&nbsp;on it<STRONG>.</STRONG>&nbsp;<BR /><BR />I created a firewall policy application based with <STRONG>smtp-base</STRONG> as application but it skips the policy goes to the implicit interzone deny policy. So I created it with by just port based, <STRONG>587,&nbsp;</STRONG>it sill skips the policy and goes to interzone default deny.&nbsp;<BR /><BR />So I explicitly defined app-based and port based on the policy, it still skips the policy.&nbsp;<BR /><BR />When I run the troubleshooter, Test Policy, it is able to match the policy created when I only specified the port 587. It skips it when I add the application, smtp-base.&nbsp;<BR /><BR /><STRONG>PA-440, PANOS 10.1.9</STRONG><BR /><BR />Anyone else encountered the same issue and was able to solve it? Or anything you recommend to solve this is greatly appreciated!</P> Thu, 24 Aug 2023 14:17:44 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/555066#M1763 EmmanB-NC 2023-08-24T14:17:44Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/555485#M1767 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/301972">@EmmanB-NC</a>&nbsp;,</P> <P>&nbsp;</P> <P>Strange. It would be interesting to see the full configuration of the rules in question and compare it to the deny rule.</P> <P>When you're hitting the default-deny rules, how is the traffic being identified exactly ?&nbsp;</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Mon, 28 Aug 2023 07:23:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/555485#M1767 kiwi 2023-08-28T07:23:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/558347#M1861 <P>Hi Kiwi,&nbsp;<BR /><BR />It turned out the application recognized to destination smtp.office365.com is outlook-web-online using port 587 and not smtp-base. This is when I enabled Any Any temporarily to see what application traffic is actually going over the firewall.&nbsp;<BR />Traffic appears to be allowed on the firewall however email is not received by expected recipient.&nbsp;</P> Mon, 18 Sep 2023 11:29:41 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/558347#M1861 EmmanB-NC 2023-09-18T11:29:41Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/558490#M1866 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/301972">@EmmanB-NC</a>&nbsp;,</P> <P>&nbsp;</P> <P>Because that FQDN destination is changing IP every few seconds I believe you might be hitting the following issue:<BR /><STRONG><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POKhCAO" target="_blank" rel="noopener">Using FQDN address object with dynamic IP for Policies</A>&nbsp;</STRONG></P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Tue, 19 Sep 2023 06:53:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/558490#M1866 kiwi 2023-09-19T06:53:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/559402#M1897 <P>I tried it also with the actual IP range object defined on the policy. It appears as allowed traffic but the application still gets an error.&nbsp;</P> Mon, 25 Sep 2023 18:37:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/559402#M1897 EmmanB-NC 2023-09-25T18:37:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/594986#M3596 <P>Hi expert,</P> <P>&nbsp;</P> <P>anyone know the answer? facing same issue.</P> <P>&nbsp;</P> <P>thanks</P> Thu, 15 Aug 2024 04:19:37 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/fw-policy-skipped-when-either-app-based-only-or-smtp-base-app/m-p/594986#M3596 LizaRajjab 2024-08-15T04:19:37Z