topic Re: Shadow Rule warning in General Topics

Shadow Rule warning

RC-BHF — Fri, 16 Mar 2018 16:33:28 GMT

Hello

When apllying a rules in PA I get the warning message re shadow rule.

I have two rules where

rule 1 allows SSL between source and dest on standard SSL port

rule 2 allows SSL between the (same) source and dest on a non standard SSL port

I get a warning about rule 1 shadowing rule 2

How can I combine ther two rules so that I do not get that warning anymore

I always assumed that the two rules could not combined as one rule uses a custom ports.

Re: Shadow Rule warning

Mick_Ball — Fri, 16 Mar 2018 16:41:21 GMT

maybe i've missed something here but just have rule 2 as it covers rule 1.

Re: Shadow Rule warning

Mick_Ball — Fri, 16 Mar 2018 16:48:28 GMT

its like saying..

1, allow fred to go to tescos with green shoes

2, allow fred to go to tescos with any colour shoes..

1. is pointless, fred gets to tescos regardless of shoe colour,

i would imagine that despite different shoe colours, fred will collect the same ammount of clubcard points on equal purchase, but that may be of no relevance here...

Re: Shadow Rule warning

BPry — Fri, 16 Mar 2018 16:54:26 GMT

@RC-BHF,

Are you utilizing app-id in either of the rules? If the answer is yes, you would have to do the following to combine them.

1) Lookup the standard ports for the listed application, 'SSL' for example. Since it defaults to tcp-443, you would utilize service-https which is included as a service by default. Then for your non-standard port (I'll call it tcp-444) you would build a custom service object that work match for protocol TCP on destination port 444. Then you could allow 'SSL' with the service set as [ service-https tcp-444 ] and all traffic would match this one rule.

2) You could build out a custom app-id signature that would match the non-standard port. Then you would simply maintain one rule that has the application as [ ssl 'custom-app' ] and traffic would match this one rule.

3) You could not be using app-id at all, in which case you only actually need to build a service object for the non-standard SSL port and at it into the first rule.

Re: Shadow Rule warning

BPry — Fri, 16 Mar 2018 16:59:54 GMT

@Mick_Ball,

I think what's happening is that a rule exists that allows application 'SSL' on service 'applicaiton-default', which would cover the standard traffic.

Then there is another rule that allows application 'SSL' on service 'custom-service'.

@RC-BHF,

The one thing that I would caution here when setting an identified application to specified services, is to make sure that the app-id updates don't make any changes to how this traffic is actually identified. If your 'custom-app' or whatever is using a custom port gets categorized in a future update as 'splunk', then this rule will stop matching the traffic properly.

Re: Shadow Rule warning

Royalfr — Wed, 19 Feb 2020 16:46:36 GMT

I have this issue as well. And while the example is kindergarten simple, the problem continues in many permutations.

I create a rules allowing the many microsoft services that Non-Controllers use between some server networks.

Then I have to make a rule for web-browsing on a non standard port (TCP9201) involving some of the same servers.

SHADOW WARNING

Despite that there is NO shadowing whatsoever. The first rule doesn't allow the traffic the second rule allows. I can't combine them-because that would permit many permutations ot use non-standard ports that should be blocked.

Clearly the shadow logic completely ignores the SERVICE field of all rules. So many of my non-default port rules are "shadowed" if their protocol was previously allowed with any other service configured. This is just bad logic on PaloAlto's part.

Re: Shadow Rule warning

WilliamD — Thu, 08 Sep 2022 08:58:11 GMT

I think you hit the nail on the head. In my case:

external-IP-1 has a rule to NAT to internal-IP-1 on service HTTPS

external-IP-1 has a rule to NAT to internal-IP-2 on service HTTP

Same external IP but different internal IP is giving me a shadow rule. These are bi-directional rules but my understanding is the 'hidden rule' created using bi-directional rules will still abide by the service and therefore not create a shadow rule?