https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565843#M114397 <P>Sorry, I should have mentioned that I did commit the change.</P> Wed, 15 Nov 2023 15:29:38 GMT pehlmanj 2023-11-15T15:29:38Z https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565667#M114374 <P>I created a policy (number 21) that allows several types of traffic outbound (ssh, https, tcp 8989, tcp 61000 - 65535, and UDP 1024-65535).&nbsp; All traffic seems to be passing except SSH, which is being blocked by policy number 25, which is supposed to be disabled.&nbsp; During troubleshooting, it looked like policy 25 was responsible for denying my SSH traffic, so I disabled policy number 25 to continue troubleshooting, but when I look at the monitor, policy 25's name is being referenced as the reason the SSH traffic is being denied.&nbsp; Is there something more to disabling a policy other than just highlighting the policy, and clicking the disable button?&nbsp; The policy is "greyed out" so it looks like it's disabled, but my SSH traffic still isnt flowing.</P> Tue, 14 Nov 2023 19:17:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565667#M114374 pehlmanj 2023-11-14T19:17:01Z https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565695#M114380 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/323501">@pehlmanj</a>&nbsp;,</P> <P>&nbsp;</P> <P>After disabling a policy, please commit your changes to the firewall. Once committed, the disable should be enforced for new traffic.&nbsp;</P> Tue, 14 Nov 2023 23:11:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565695#M114380 JayGolf 2023-11-14T23:11:51Z https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565843#M114397 <P>Sorry, I should have mentioned that I did commit the change.</P> Wed, 15 Nov 2023 15:29:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565843#M114397 pehlmanj 2023-11-15T15:29:38Z https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565898#M114404 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/323501">@pehlmanj</a>,</P> <P>The&nbsp;<EM>only&nbsp;</EM>way that makes any sense is if you've modified defaults so that 'rematch sessions' is not enabled, or you didn't actually commit the change. If you've actually committed the changes the only way this makes sense is if you've disabled rematch sessions in which case you'll want to change that back to default and just enable it again.</P> Wed, 15 Nov 2023 22:22:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/565898#M114404 BPry 2023-11-15T22:22:58Z https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/566017#M114426 <P>"Rematch sessions" is enabled. (It was never disabled).&nbsp; And changes were committed.&nbsp; The rule in question is showing up as "greyed out" but the monitor is still pointing to it as the cause of my SSH denials.</P> Thu, 16 Nov 2023 16:43:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-traffic-on-one-policy-appears-to-be-denied-by-a-policy-that/m-p/566017#M114426 pehlmanj 2023-11-16T16:43:06Z