https://live.paloaltonetworks.com/t5/next-generation-firewall/problem-with-security-zones/m-p/597845#M3736 <P>Dear Members,&nbsp;</P> <P>I need some help regarding the Paloalto firewall. We are managing the firewalls using the Panorama. I am new in the environment. I have been told that the source subnet resides in the inside zone hence I added the source group in the inside zone configured it correctly.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_0-1726352843740.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62244iF109FC2015B475BA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_0-1726352843740.png" alt="omarali53_0-1726352843740.png" /></span></P> <P>In the firewalls logs I can see that the traffic has started hitting the rule (which looks good). But for some reasons the user is reporting that he can not access the service and says that he is getting the error that the port is not reachable but we can see that the traffic on port 443 is allowed. In he below we can see that the traffic is allowed and the source zone is inside (interface ae3.99). the picture is from panorama gui.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_1-1726353054367.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62245iBD81AED9F0DDA0C8/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_1-1726353054367.png" alt="omarali53_1-1726353054367.png" /></span></P> <P>Just to make sure I logged into the CLI of the firewall and checked the routing table and zone of the source subnet. Here I am amazed to see that the CLI is showing a different source zone for the same IP address. here it is showing that the source interface is ae3.199 which is a different zone then inside.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_2-1726353282724.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62246i8919F70B48EA5159/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_2-1726353282724.png" alt="omarali53_2-1726353282724.png" /></span></P> <P>The routing table also states that the traffic from the subnet 10.151.0.0/16 belongs to the different zone (other than Inside).&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_3-1726353419343.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62247i369D391E90E8068F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_3-1726353419343.png" alt="omarali53_3-1726353419343.png" /></span></P> <P>Now I am curious that the Panorama GUI is showing that the source IP 10.151.103.124 belongs to the Inside zone. But the CLI in firewall and routing table states that the same IP belongs to the different zone. Someone please help me how to rectify and resolve this issue? what could be the cause of this problem?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 14 Sep 2024 22:38:38 GMT omarali53 2024-09-14T22:38:38Z https://live.paloaltonetworks.com/t5/next-generation-firewall/problem-with-security-zones/m-p/597845#M3736 <P>Dear Members,&nbsp;</P> <P>I need some help regarding the Paloalto firewall. We are managing the firewalls using the Panorama. I am new in the environment. I have been told that the source subnet resides in the inside zone hence I added the source group in the inside zone configured it correctly.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_0-1726352843740.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62244iF109FC2015B475BA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_0-1726352843740.png" alt="omarali53_0-1726352843740.png" /></span></P> <P>In the firewalls logs I can see that the traffic has started hitting the rule (which looks good). But for some reasons the user is reporting that he can not access the service and says that he is getting the error that the port is not reachable but we can see that the traffic on port 443 is allowed. In he below we can see that the traffic is allowed and the source zone is inside (interface ae3.99). the picture is from panorama gui.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_1-1726353054367.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62245iBD81AED9F0DDA0C8/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_1-1726353054367.png" alt="omarali53_1-1726353054367.png" /></span></P> <P>Just to make sure I logged into the CLI of the firewall and checked the routing table and zone of the source subnet. Here I am amazed to see that the CLI is showing a different source zone for the same IP address. here it is showing that the source interface is ae3.199 which is a different zone then inside.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_2-1726353282724.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62246i8919F70B48EA5159/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_2-1726353282724.png" alt="omarali53_2-1726353282724.png" /></span></P> <P>The routing table also states that the traffic from the subnet 10.151.0.0/16 belongs to the different zone (other than Inside).&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="omarali53_3-1726353419343.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62247i369D391E90E8068F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="omarali53_3-1726353419343.png" alt="omarali53_3-1726353419343.png" /></span></P> <P>Now I am curious that the Panorama GUI is showing that the source IP 10.151.103.124 belongs to the Inside zone. But the CLI in firewall and routing table states that the same IP belongs to the different zone. Someone please help me how to rectify and resolve this issue? what could be the cause of this problem?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 14 Sep 2024 22:38:38 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/problem-with-security-zones/m-p/597845#M3736 omarali53 2024-09-14T22:38:38Z https://live.paloaltonetworks.com/t5/next-generation-firewall/problem-with-security-zones/m-p/597874#M3740 <P>someone please help me. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Mon, 16 Sep 2024 07:37:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/problem-with-security-zones/m-p/597874#M3740 omarali53 2024-09-16T07:37:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/problem-with-security-zones/m-p/598057#M3751 <P>Looks like something is incorrect with your routing. The only route to 10.151.103.124 is through an interface in another zone, not through an interface on the inside zone.</P> <P>Where is the route for the more specific network 10.151.103.124? Do you have some kind of asymmetric routing happening?</P> Tue, 17 Sep 2024 23:20:04 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/problem-with-security-zones/m-p/598057#M3751 rmfalconer 2024-09-17T23:20:04Z