topic Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. in General Topics https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2295#M1695 <HTML><HEAD></HEAD><BODY><P>What if you did an allow rule to the US above the rule that's not working, and then do your negate rule directly after it?</P></BODY></HTML> Thu, 16 May 2013 14:17:20 GMT ericgearhart 2013-05-16T14:17:20Z What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2294#M1694 <HTML><HEAD></HEAD><BODY><P>Hi all!</P><P></P><P>I have a new policy that I pushed yesterday that was a total failure and any help you can offer would be appreciated.</P><P></P><P>We have a policy that looks like this:</P><P></P><P>Source &lt;Internal IP addresses&gt;</P><P>Destination &lt;Negate Region US&gt;</P><P>Application &lt;unknown-tcp, unknown-udp&gt;</P><P>DENY</P><P></P><P>However, it is catching and DENYing all unknown-tcp and unknown-udp regardless of Destination Country. We have some internal applications used by our customers that this blocks as I haven't been able to classify all applications we use in house as of yet.</P><P></P><P>This logic seems like it should be working, am I doing something wrong?</P><P></P><P>Thanks,</P><P>Benc</P></BODY></HTML> Thu, 16 May 2013 13:14:32 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2294#M1694 bgranholm 2013-05-16T13:14:32Z Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2295#M1695 <HTML><HEAD></HEAD><BODY><P>What if you did an allow rule to the US above the rule that's not working, and then do your negate rule directly after it?</P></BODY></HTML> Thu, 16 May 2013 14:17:20 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2295#M1695 ericgearhart 2013-05-16T14:17:20Z Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2296#M1696 <HTML><HEAD></HEAD><BODY><P>I don't want to create policy sprawl, I would rather keep it in one rule.</P></BODY></HTML> Thu, 16 May 2013 15:13:42 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2296#M1696 bgranholm 2013-05-16T15:13:42Z Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2297#M1697 <HTML><HEAD></HEAD><BODY><P>Did you check the destination country from IP address you want to pass through?</P><P>You can check it as follow.</P><P>&gt; show location ip 1.1.1.1</P><P>If your customer's IP address is not US, I think that's expected behavior.</P></BODY></HTML> Thu, 16 May 2013 15:25:32 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2297#M1697 emr_1 2013-05-16T15:25:32Z Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2298#M1698 <HTML><HEAD></HEAD><BODY><P>Our customer's IP space was internal space, they are the source. The destination was definitely an IP in the US and it still got blocked.</P></BODY></HTML> Thu, 16 May 2013 15:27:32 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2298#M1698 bgranholm 2013-05-16T15:27:32Z Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2299#M1699 <HTML><HEAD></HEAD><BODY><P>Honestly it's frustrating to even make suggestions here because you won't even just try some of the suggestions. Do the 'show location ip' command and let us see what the PA thinks the destination country is. Try tossing in the "policy sprawl" rule just to see if it works.</P><P></P><P>If you won't at least just try some things to see if they make a difference or reveal the problem, then there's no point in asking for help, right?</P></BODY></HTML> Thu, 16 May 2013 15:31:16 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2299#M1699 ericgearhart 2013-05-16T15:31:16Z Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2300#M1700 <HTML><HEAD></HEAD><BODY><P>If it is internal space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) it will not be seen as the United States. The location is seen as "Reserved", as seen by the command given by egearhart.</P><P></P><P>If the destination address is an IPv6 address, it may not yet be supported.</P><P></P><P>When you look at the traffic logs for that traffic, how many packets are seen in the c2s and s2c flows? You can also check the session id (CLI command: show session id 123456) that is present in the logs to see what application it is identified as and which rule it is hitting.</P><P></P><P>Hope this helps,</P><P>Greg Wesson </P></BODY></HTML> Thu, 16 May 2013 16:22:31 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2300#M1700 gwesson 2013-05-16T16:22:31Z Re: What am I doing wrong? This policy to block unknown traffic to countries outside the US. https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2301#M1701 <HTML><HEAD></HEAD><BODY><P>I apologize as apparently I was not being clear enough.</P><P></P><P>In the traffic logs, this rule is blocking ALL unknown-tcp and udp traffic, even the traffic that has a Destination Country of US.</P><P></P><P>Here is my rule with the non-public bits removed in set notation. It is in our security post-rules for our Internet traffic.</P><P></P><P>"Block unknown to non-US" from any</P><P>"Block unknown to non-US" to any</P><P>"Block unknown to non-US" source "&lt;Internal Private Address Space&gt;"</P><P>"Block unknown to non-US" destination US</P><P>"Block unknown to non-US" source-user any</P><P>"Block unknown to non-US" category any</P><P>"Block unknown to non-US" application unknown-tcp</P><P>"Block unknown to non-US" application unknown-udp</P><P>"Block unknown to non-US" service any</P><P>"Block unknown to non-US" hip-profiles any</P><P>"Block unknown to non-US" negate-source no</P><P>"Block unknown to non-US" negate-destination yes</P><P>"Block unknown to non-US" action deny</P></BODY></HTML> Thu, 16 May 2013 17:43:27 GMT https://live.paloaltonetworks.com/t5/general-topics/what-am-i-doing-wrong-this-policy-to-block-unknown-traffic-to/m-p/2301#M1701 bgranholm 2013-05-16T17:43:27Z