https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/455466#M607 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204251">@jguffroy</a>&nbsp;</P> <P>Also check this url</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0</A></P> <P>&nbsp;</P> <P>Regards</P> Sat, 25 Dec 2021 22:45:36 GMT MP18 2021-12-25T22:45:36Z https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/454942#M593 <P>Hello,</P> <P>&nbsp;</P> <P>we're encountred an issue with SAAS service, we created a security rule&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jguffroy_0-1640167686948.png" style="width: 836px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38305i8E73EB9BCC93BB7C/image-dimensions/836x138/is-moderation-mode/true?v=v2" width="836" height="138" role="button" title="jguffroy_0-1640167686948.png" alt="jguffroy_0-1640167686948.png" /></span></P> <P>&nbsp;</P> <P>but randomly we had issue during connection into the application, after packet capture, I saw a lot of tcp retransmission and client reset</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jguffroy_1-1640167824901.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38306iAAC15F3F5A1992F4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="jguffroy_1-1640167824901.png" alt="jguffroy_1-1640167824901.png" /></span></P> <P>When I checked the panorama logs I saw that the rule is not matched and flow is denied but I dont understand why because the security rule should be enough permissive.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jguffroy_2-1640167920421.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38307iB56C281CE944C36F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="jguffroy_2-1640167920421.png" alt="jguffroy_2-1640167920421.png" /></span></P> <P>Did you already encountred this issue ?</P> <P>&nbsp;</P> <P>thank you for your feedback</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 22 Dec 2021 10:12:41 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/454942#M593 jguffroy 2021-12-22T10:12:41Z https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/455456#M605 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204251">@jguffroy</a></P> <P>&nbsp;</P> <P>Based on screen shot you supplied it is not clear what the root cause is. Would it be possible to navigate in the log to very left side and click on magnifying glass, get session ID from denied and allowed log, then navigate to Firewall's CLI and check/compare details of each session?</P> <P>&nbsp;</P> <P>show session id &lt;session id&gt;</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Sat, 25 Dec 2021 22:36:49 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/455456#M605 PavelK 2021-12-25T22:36:49Z https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/455463#M606 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204251">@jguffroy</a>&nbsp;</P> <P>&nbsp;</P> <P>If you have FQDN as destination address then that can be issue if IP changes on the url and PA it is not refreshed.</P> <P>Default FQDN timer is 30 mins.</P> <P>&nbsp;</P> <P>You can click on Destination address under address and then click on FQDN to see which IP it resolves and compare it with the</P> <P>deny rule.</P> <P>&nbsp;</P> <P>You can also refresh the fqdn so it learns the new ip of the fqdn</P> <P>&nbsp;</P> <P>Regards</P> Sat, 25 Dec 2021 22:43:19 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/455463#M606 MP18 2021-12-25T22:43:19Z https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/455466#M607 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204251">@jguffroy</a>&nbsp;</P> <P>Also check this url</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0</A></P> <P>&nbsp;</P> <P>Regards</P> Sat, 25 Dec 2021 22:45:36 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/packet-deny-even-if-there-is-an-allow-rule/m-p/455466#M607 MP18 2021-12-25T22:45:36Z