https://live.paloaltonetworks.com/t5/next-generation-firewall/security-policies-not-working/m-p/1223451#M5672 <P>Hi, Suresh,</P> <P>&nbsp;</P> <P>Many thanks for your detailed help - while it didn't help I got to the solution at the end&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> <P>&nbsp;</P> <P>For some reason, when reading number 5., I got an idea from your number 1. where mentioning if it's actually passing through the firewall - and then it hit me! And I am not ashamed to admit that I am still learning PA and the networking so I haven't thought of the "intrazone" rule and scenario straight away. Both hosts were on the same subnet/zone. Hence the traffic was not traversing firewall if it didn't go out of the zone, and of course hitting the rules. So anything in the same zone was working all the time, while anything going one was hitting the correct rules - hence discrepency.</P> <P>&nbsp;</P> <P>Regardless, you gave me the idea and it's still kind of "accepted" solution, so thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>G</P> Tue, 11 Mar 2025 15:38:25 GMT GregorJus 2025-03-11T15:38:25Z https://live.paloaltonetworks.com/t5/next-generation-firewall/security-policies-not-working/m-p/1223187#M5653 <P>I've come across the most odd issue that I can't figure it out for the life of me. I am only hopping it's some silly "tick box" or something I have missed. Long story short...</P> <P>&nbsp;</P> <P>I have created a very simple top security rule with IP address as a source (any zone/user/device) towards any destination (any zone/application/service) and set it to deny. Sadly it doesn't work fully. Example below - how can that even be?</P> <P>&nbsp;</P> <UL> <LI>web browsing is blocked</LI> <LI>ping is NOT blocked</LI> <LI>RDP (mstsc) is also NOT blocked</LI> </UL> <P>Furthermore, looking at the traffic log there is no signs of any RDP traffic, pings, etc. Nothing is recognised.</P> <P>&nbsp;</P> <P>Any idea?<BR />Thanks</P> Fri, 07 Mar 2025 20:54:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/security-policies-not-working/m-p/1223187#M5653 GregorJus 2025-03-07T20:54:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/security-policies-not-working/m-p/1223279#M5656 <P>Hi Can you share you policy config to look into it.</P> <P>&nbsp;</P> <P>However here the possible reasons for the issue.</P> <P>it sounds like your top security rule should be blocking all traffic from the specified source IP, but some traffic types (ICMP for ping, RDP) are still passing through.</P> <P>&nbsp;</P> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 whitespace-normal break-words text-start [.text-message+&amp;]:mt-5" dir="auto" data-message-author-role="assistant" data-message-id="a401fa63-181f-49bd-abc9-0329c3b4a4dc" data-message-model-slug="gpt-4o"> <DIV class="flex w-full flex-col gap-1 empty:hidden first:pt-[3px]"> <DIV class="markdown prose w-full break-words dark:prose-invert light"> <P data-start="229" data-end="289"><STRONG>1. Ensure the Traffic is Routed Through the Firewall</STRONG></P> <P>If you don’t see any logs for RDP or ICMP traffic, the firewall might not be processing these packets.</P> <P>Verify that the traffic is actually passing through the firewall and not taking an alternate route (e.g., direct L2 switching or a different gateway).</P> <P data-start="555" data-end="600"><STRONG>2. Check for Security Policy Matching</STRONG></P> <P>Use the Test Security Policy Match tool in PAN-OS to see if the traffic is hitting the expected rule.</P> <P>If the traffic is not matching your deny rule, it might be getting permitted by another rule lower in the rulebase.</P> <P data-start="834" data-end="867"><STRONG>3. ICMP and Ping Handling</STRONG></P> <P>By default, ICMP (ping) is often handled by a separate setting under Network &gt; Network Profiles &gt; Security Profiles &gt; Zone Protection Profiles rather than the security policy.</P> <P>Ensure your Zone Protection Profile is configured to block ICMP if needed.</P> <P data-start="1138" data-end="1193"><STRONG>4. Application Identification and Session Setup</STRONG></P> <P>Some protocols like RDP (mstsc) might not be identified immediately in the first few packets.</P> <P>Ensure your rule is not limited to a specific application but instead set to "any" in the application field.</P> <P>If using application-based security policies, try switching to a service (port-based) rule instead.</P> <P data-start="1521" data-end="1560"><STRONG>5. Check for Asymmetric Routing</STRONG></P> <P>If the firewall sees only one side of the communication, it may not properly detect or log the traffic.</P> <P>Run Session Browser under Monitor &gt; Session Browser to check if the sessions are established as expected.</P> <P data-start="1790" data-end="1849"><STRONG>6. Security Rule Logging and Logging at Session End</STRONG></P> <P>Ensure your deny rule has "Log at Session End" enabled so that all blocked attempts are visible in the traffic logs.</P> <P data-start="1977" data-end="2118">Would you be able to provide a screenshot of your security rule or clarify if NAT is involved? That could help narrow down the issue further.</P> </DIV> </DIV> </DIV> Sun, 09 Mar 2025 02:44:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/security-policies-not-working/m-p/1223279#M5656 Mudhireddy 2025-03-09T02:44:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/security-policies-not-working/m-p/1223451#M5672 <P>Hi, Suresh,</P> <P>&nbsp;</P> <P>Many thanks for your detailed help - while it didn't help I got to the solution at the end&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> <P>&nbsp;</P> <P>For some reason, when reading number 5., I got an idea from your number 1. where mentioning if it's actually passing through the firewall - and then it hit me! And I am not ashamed to admit that I am still learning PA and the networking so I haven't thought of the "intrazone" rule and scenario straight away. Both hosts were on the same subnet/zone. Hence the traffic was not traversing firewall if it didn't go out of the zone, and of course hitting the rules. So anything in the same zone was working all the time, while anything going one was hitting the correct rules - hence discrepency.</P> <P>&nbsp;</P> <P>Regardless, you gave me the idea and it's still kind of "accepted" solution, so thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>G</P> Tue, 11 Mar 2025 15:38:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/security-policies-not-working/m-p/1223451#M5672 GregorJus 2025-03-11T15:38:25Z