topic Re: Palo alto denying the traffic randamly in Next-Generation Firewall Discussions

Palo alto denying the traffic randamly

Abhishekrs987 — Thu, 30 Jun 2022 15:08:06 GMT

A simple rule is created in my firewall, where the traffic is allowed from our servers to the fqdn which is reaiding in internet. Application is as any and in service 443 is allowed.

Sometimes firewall is allowing the traffic , sometimes it is denying.

The only difference which i observed on the log is action source. If action source is from-policy traffic is allowed and if it is from-application traffic is blocked.

I tried modifying the rule by adding ssl and web-browsing, but no luck

Please suggest here.

Re: Palo alto denying the traffic randamly

aleksandar.astardzhiev — Fri, 01 Jul 2022 07:42:18 GMT

Hi @Abhishekrs987 ,

I am almost certain that the problem is caused by the FQDN object. More specifically the FQDN you are trying to reach is using DNS loadbalaning which will return differen IPs every few requests.

What (most probably) is happening is that:

- By default firewall is making DNS request every 30mins to resolve the FQDN object used in the policy. When it receive reply it will cache all the IPs and use them in the policy (for the next 30mins). After 30mins it will repeat the process and if it receives different IPs it will replace them in the allow rule.

- Every time user tries to reach the FQDN it will make new DNS request (of course it will cache the reply, but untill the TTL expires).

One way you can try to solve this is to tell the firewall to use the TTL in the DNS response. This will have benefit for FQDNs with short TTL. The problem is it could bring additional load to the management plane (it will force the firewall to make additional DNS queries and constantly updating the policy).

Unfortunately I am not sure that will help agains DNS round robin load balancing, where almost every DNS request receive different reply. I think I have seen such with some Office365 or Azure services....cannot remember specific exmaple right now.

Re: Palo alto denying the traffic randamly

Abhishekrs987 — Thu, 07 Jul 2022 06:11:16 GMT

Hi @aleksandar.astardzhiev ,

Thanks for the response. It is very informative.

But the fqdn which i created is tools1.cisco.com, when i tried resolving it everytime it resolves to a single IP and even in the logs for both the deny and allow logs i am seeing same ip in the destination

Re: Palo alto denying the traffic randamly

aleksandar.astardzhiev — Thu, 07 Jul 2022 08:31:31 GMT

Hi @Abhishekrs987 ,

Interesting...I can see this FQDN also has very long TTL. Are you able to provide screenshot from your rule and from defailed log view (magnifing glass on the far left of the log entry) for both allowed and denied traffic. Feel free to obfuscate any sensitive information (IP addresses, source users, zone names)

I just re-read your question - as mentioned here - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields

Action Source will specificy where the final action was defined by the rule or by the application. It should be normal to see "from-application" when traffic is blocked. This is because each application definition has "deny action", which will tell the firewall how what to do when it denies the traffic. This is important, because some applications are sensitive and when connection is denied, FW needs to send TCP RST or the connection will stall on either the client or the server.

I am intersted to see the "Session End Reason" log field for both allowed and blocked traffic.

Re: Palo alto denying the traffic randamly

JubairJunaid — Mon, 19 May 2025 12:29:15 GMT

Hi Abhishek,

Were you able to resolve or identify the cause I am facing the same issue.