topic Re: Intrazone-default Rule in Next-Generation Firewall Discussions

Intrazone-default Rule

JoohyeongLee — Wed, 08 Apr 2026 05:55:08 GMT

I have a question and would like some advice!

We currently operate by applying an “any-any deny” policy at the bottom of the stack and opening ports only for necessary traffic.
I noticed that the hit count is increasing on the “intrazone-default” allow policy at the bottom, even though the “any-any deny” policy is in place.
I enabled logging for the intrazone policy and checked the traffic logs, but most applications show up as “traceroute” or cannot be verified.
Also, while packets are being sent, no received packets are being confirmed.

Could someone explain why the hit count is increasing on the intrazone-default policy even though the any-any deny policy is in place?

Thank you!

Re: Intrazone-default Rule

CosminM — Wed, 08 Apr 2026 06:17:50 GMT

Hello @JoohyeongLee ,

I assume that your "any-any deny" rule is configured with the service "application-default".

When you select 'application-default' in the Service field of a security policy rule, it means that the specified applications are allowed or denied exclusively on their default ports as defined by Palo Alto Networks. For example, if the DNS application uses TCP port 53 and UDP port 53, this setting would only permit DNS traffic on those specific ports.

The Palo Alto Networks firewall, using its App-ID technology, continuously identifies applications traversing the network regardless of the port or protocol being used. Even when 'application-default' is selected, the firewall still checks for all applications on all ports .

Palo Alto Networks firewalls generally require a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake) to recognize an application using App-ID. In most cases, the application is identified before this amount of data is received.

So, the intrazone traffic will not match your "any-any deny" rule until App-ID engine recognize and label that traffic.

I recommend that for all your deny rules to setup service "any" and not "application-default".

Re: Intrazone-default Rule

JoohyeongLee — Wed, 08 Apr 2026 06:39:36 GMT

Hello. Thank you for your reply!
However, in the policy, everything—including the service port—is set to “any.”

Thank you!

Re: Intrazone-default Rule

abayoumi21 — Wed, 08 Apr 2026 08:11:05 GMT

This behavior is expected because the intrazone-default rule is still allowing same-zone traffic. To ensure your “any-any deny” rule applies to all traffic (including intra-zone), you should configure it as a Universal policy instead of an Interzone policy.

Explanation

In Palo Alto Networks, security policies can be defined as:

• Interzone → applies only to traffic between different zones
• Intrazone → applies only to traffic within the same zone
• Universal → applies to both interzone and intrazone traffic

If your “any-any deny” rule is configured as Interzone, it will not match intra-zone traffic. As a result, same-zone traffic will fall through and hit the default:

• intrazone-default → allow

This explains why you are seeing increasing hit counts on the intrazone-default rule.

Why You See Traceroute / Incomplete Traffic

The traffic showing as:

• traceroute
• unknown / incomplete
• sent packets with no return

is typically:

• Probing traffic (traceroute, monitoring tools)
• One-way traffic
• Asymmetric routing scenarios

Since this traffic is intra-zone and not matched by your deny rule, it is allowed by intrazone-default.