https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570602#M114972 <P>Hi,</P> <P>&nbsp;</P> <P>We have a security rule set up to allow voip traffic from A to B but limited to certain ports.</P> <P>&nbsp;</P> <P>We are see an allowed traffic that matches the source and destination but however has a port number that is not in the list of allowed ports, with end reason aged out.</P> <P>&nbsp;</P> <P>I would like to know how does the firewall actually do a lookup on the security policy as technically if the port number does not match traffic shouldn't be allowed.</P> Thu, 21 Dec 2023 08:35:40 GMT barry_lee 2023-12-21T08:35:40Z https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570602#M114972 <P>Hi,</P> <P>&nbsp;</P> <P>We have a security rule set up to allow voip traffic from A to B but limited to certain ports.</P> <P>&nbsp;</P> <P>We are see an allowed traffic that matches the source and destination but however has a port number that is not in the list of allowed ports, with end reason aged out.</P> <P>&nbsp;</P> <P>I would like to know how does the firewall actually do a lookup on the security policy as technically if the port number does not match traffic shouldn't be allowed.</P> Thu, 21 Dec 2023 08:35:40 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570602#M114972 barry_lee 2023-12-21T08:35:40Z https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570637#M114977 <P>are your ports set as services or as application-default?</P> <P>if you're seeing ports you didn't expect, the session is most likely being allowed by a different rule</P> <P>&nbsp;</P> <P>are you able to provide screenshots?</P> Thu, 21 Dec 2023 12:56:22 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570637#M114977 reaper 2023-12-21T12:56:22Z https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570653#M114982 <P>I'm unable to provide screenshots.</P> <P>ports are set under services. i can see traffic logs hitting the voip rule.</P> <P>weird thing is that port that is being allowed is not in the list of allowed ports.</P> Thu, 21 Dec 2023 14:09:34 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570653#M114982 barry_lee 2023-12-21T14:09:34Z https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570725#M114989 <P>When you say you allow "voip" traffic, what's the actual application?&nbsp; Is that application the only defined application on the rule?&nbsp; When you say "A to B" you have a defined source and destination IP objects/networks?&nbsp; As for the service (ports that are allowed and also not matching), are you certain the service object you're using isn't a service range?</P> <P>&nbsp;</P> <P>To confirm you're saying the rule looks like this?<BR /><BR />Source --&gt; 1.1.1.0/24 (internal zone) | Destination --&gt; 2.2.2.0/24 (internet zone) | Application &lt;defined application&gt; (not app any) | Service --&gt; &lt;specific ports defined&gt; (Service 'Any' not selected in the drop down, as well as tcp/udp is defined on the service)</P> <P>&nbsp;</P> <P>You're saying you have these options configured and you're seeing a port being allowed on this rule from a session allow / end?</P> Fri, 22 Dec 2023 14:35:16 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-security-policy-match-criteria-query/m-p/570725#M114989 Brandon_Wertz 2023-12-22T14:35:16Z