https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495846#M105097 <P>That was it! This resolved so many issues for me. I couldn't understand how traffic wasn't matching for quite a few other apps/functions within my network. I greatly appreciate the help!</P> Tue, 31 May 2022 16:00:35 GMT dustin.campbell 2022-05-31T16:00:35Z https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495675#M105087 <P>Hello! I am having quite a few strange behaviors from the Palo Alto firewalls. I have a rule for an entire subnet (10.209.82.0/24) to be allowed from inside to outside zones via any port to any IP address yet there is still somehow traffic being denied. Obviously, this isn't the greatest from a security perspective, but I arrived there out of frustration and trying to get this to work. This is happening with a few other rules as well. I have one that allows 10.209.69.0/25 out to any IP and any port. This one is odd because 10.209.69.110 can match this rule and successfully get out to a public resource that it builds a VPN tunnel to, but 10.209.69.111 doesn't match that rule at all and ends up hitting the default deny rule. I have double checked the objects over and over to ensure the subnets are correctly configured. A basic NAT is setup to NAT inside to outside to the outside IP address of the Palo Alto, which does work for everything else. I'm able to browse the web and most other functions within the data center (too many to list) are working correctly. I'm just starting to have more and more wonky issues like this lately.&nbsp;&nbsp;</P> Tue, 31 May 2022 14:58:01 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495675#M105087 dustin.campbell 2022-05-31T14:58:01Z https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495700#M105089 <P>Hello,</P><P>&nbsp;</P><P>Have you checked that the subnets are configured correctly on the interfaces within the zone you are writing in your security rule?</P><P>&nbsp;</P><P>Maybe you can share a screenshot with traffic logs and security rule for check it.</P><P><BR />Regards</P> Tue, 31 May 2022 15:05:59 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495700#M105089 Alpalo 2022-05-31T15:05:59Z https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495726#M105090 <P>Thanks for your response! I have checked that the subnets are correct a few times. I keep questioning that myself, but they are correct. Here's two screenshots. One of the actual rule configured, which is essentially wide open for that subnet. The second is a screenshot of the logs where traffic has been denied today.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dustincampbell_0-1654010002677.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41497iB5A1330AC7CC2BFC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="dustincampbell_0-1654010002677.png" alt="dustincampbell_0-1654010002677.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dustincampbell_1-1654010015914.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/41498i724507D29E7CE154/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="dustincampbell_1-1654010015914.png" alt="dustincampbell_1-1654010015914.png" /></span></P><P>&nbsp;</P> Tue, 31 May 2022 15:13:43 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495726#M105090 dustin.campbell 2022-05-31T15:13:43Z https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495753#M105092 <P>Delete application-default and try again...</P><P>You are trying connect to port 10000 and open-vpn use&nbsp;tcp/1194, tcp/443, udp/1194</P><P>&nbsp;</P><TABLE cellspacing="0"><TBODY><TR><TD><DIV class=""><DIV class=""><STRONG>Name:&nbsp;&nbsp;</STRONG><DIV class=""><DIV class="">open-vpn</DIV></DIV><DIV class="">&nbsp;</DIV></DIV></DIV></TD></TR><TR><TD><DIV class=""><DIV class=""><STRONG>Standard Ports:&nbsp;&nbsp;</STRONG><DIV class=""><DIV class="">tcp/1194, tcp/443, udp/1194</DIV></DIV><DIV class="">&nbsp;</DIV></DIV></DIV></TD></TR><TR><TD><DIV class="">&nbsp;</DIV></TD></TR><TR><TD><DIV class=""><DIV class=""><STRONG>Depends on:&nbsp;&nbsp;</STRONG><DIV class=""><DIV class="">ssl, web-browsing</DIV></DIV></DIV></DIV></TD></TR></TBODY></TABLE> Tue, 31 May 2022 15:21:24 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495753#M105092 Alpalo 2022-05-31T15:21:24Z https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495846#M105097 <P>That was it! This resolved so many issues for me. I couldn't understand how traffic wasn't matching for quite a few other apps/functions within my network. I greatly appreciate the help!</P> Tue, 31 May 2022 16:00:35 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policies-not-matching-traffic/m-p/495846#M105097 dustin.campbell 2022-05-31T16:00:35Z