https://live.paloaltonetworks.com/t5/general-topics/using-ip-wildcard-masks-in-security-policy-rules/m-p/472474#M103214 <P>I have been adding IP wildcard objects into security policy rules and they have been working until yesterday when I added some new rules with several wildcard objects.&nbsp; I have looked on the support site to see if there are any limitations on how many wildcard objects you can use in a rule and/or in a policy and I have not found anything.&nbsp; I have opened a ticket on the support site, but wondering if anyone else has seen any issues using wildcard masks for objects using v9.1.</P><P>&nbsp;</P><P>Thank you</P> Fri, 11 Mar 2022 20:10:33 GMT RandyQueen 2022-03-11T20:10:33Z https://live.paloaltonetworks.com/t5/general-topics/using-ip-wildcard-masks-in-security-policy-rules/m-p/472474#M103214 <P>I have been adding IP wildcard objects into security policy rules and they have been working until yesterday when I added some new rules with several wildcard objects.&nbsp; I have looked on the support site to see if there are any limitations on how many wildcard objects you can use in a rule and/or in a policy and I have not found anything.&nbsp; I have opened a ticket on the support site, but wondering if anyone else has seen any issues using wildcard masks for objects using v9.1.</P><P>&nbsp;</P><P>Thank you</P> Fri, 11 Mar 2022 20:10:33 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ip-wildcard-masks-in-security-policy-rules/m-p/472474#M103214 RandyQueen 2022-03-11T20:10:33Z https://live.paloaltonetworks.com/t5/general-topics/using-ip-wildcard-masks-in-security-policy-rules/m-p/473997#M103338 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41084">@RandyQueen</a> ,</P> <P>&nbsp;</P> <P>Were you able to get an answer ?</P> <P>Are you seeing some error while configuring the rules or are they just not working as you'd expect ?</P> <P>Any chance to provide some more details ?</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 17 Mar 2022 10:22:17 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ip-wildcard-masks-in-security-policy-rules/m-p/473997#M103338 kiwi 2022-03-17T10:22:17Z https://live.paloaltonetworks.com/t5/general-topics/using-ip-wildcard-masks-in-security-policy-rules/m-p/474040#M103339 <P>No, I did not get an answer.&nbsp; I am still waiting on an engineer to connect with me to review what happened as well.</P><P>&nbsp;</P><P>We have over 2000 stores and we use the same IP address scheme in each of our stores - the last octet is the same for each device in each store, so we had been using EDLs for the devices and using up a lot of IP addresses.&nbsp; We have been cloning existing rules and swapping the EDL for a wildcard mask and after confirming it was hitting the new rule, we would remove the EDL in the previously used rule and validate that traffic was not interrupted and hitting the new rule.&nbsp; It had been working for several weeks, until the last rules that we created.&nbsp; The traffic did not hit the new rule and for some reason even bypassed the existing rule and traffic was being blocked because it was hitting a rule further down the stack that did not have the same privileges.&nbsp; The rules created were for one type of device and even traffic for a different device that had been working suddenly was not hitting that rule and getting blocked.</P><P>&nbsp;</P><P>I could not find much documentation on the support site other than an explanation of how the wildcard worked and explaining that there could be issues with overlapping based on how much of the binary string was matched.</P><P>&nbsp;</P><P>Thank you for asking,</P><P>&nbsp;</P><P>Randy</P> Thu, 17 Mar 2022 13:27:31 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ip-wildcard-masks-in-security-policy-rules/m-p/474040#M103339 RandyQueen 2022-03-17T13:27:31Z