Rules proccessing

minow — Sun, 02 Mar 2014 11:40:26 GMT

Hey

i have a problem that traffic does not match to a rule

i have this rule

"VIP Users" {

profile-setting {

profiles {

file-blocking "Allowed file type-VIP";

}

option {

disable-server-response-inspection no;

}

from any;

to any;

source any;

destination any;

source-user [ "cn=vip internet......."];

category any;

application any;

service any;

hip-profiles any;

action allow;

log-start no;

log-end yes;

negate-source no;

negate-destination no;

disabled no;

}

and i can see in the logs that the traffic is matching on a lower rule, which have security profile on it, and i cannot understand why

the "VIP Internet" is a security group and the user is a member of this group and "show user ip-user-mapping ip x.x.x.x" with the client ip is showing this group under the mapped user

i have also try the

test-security-policy command and also the result is matched on a lower rule

what i don't understand is:

1) does the test-security-policy calculates the current group membership?

2) i know that PA will change the applied rule if a more specific application signature is matched, but if i have upper rule with the application "any" so the more specific app is inside the "any" application am i right?

3) how can i troubleshoot it deeper?

Re: Rules proccessing

HULK — Sun, 02 Mar 2014 20:03:26 GMT

Hello Minow,

If I understand it correctly, the security policy "VIP Users" is placed on the top of the policy table.

Could you please verify the traffic logs (user name), which is not hitting the first rule " VIP Users":

The Users on the security policy can be one of the below mentioned options: Any, Pre-login, unknown,known-users, select.

known-user—Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the “domain users” group on a domain. >>>>>>>>>>>>> Could you please check if you have mapping for that user on PAN firewall.

CLI command to verify: > show user ip-user-mapping ip x.x.x.x ( IP address)

Select—Includes selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users.

Note: If you are using a RADIUS server and not the User-ID Agent, the list of users is not displayed, and you must enter user information manually.

Thanks

topic Re: Rules proccessing in General Topics

Rules proccessing

Re: Rules proccessing