topic Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04 in General Topics

Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04

lewis — Mon, 04 Jan 2016 19:00:47 GMT

Since upgrading to 7.0.4 our traffic logs now show the action of 'reset-both' and 'deny' when the rule explicitly has been set to 'deny'. This is occuring on multiple rules since upgrading from 6.1.8.

Example: we have a rule to block specific applications like bittorent, http-proxy, hola-unblocker, etc and the action is set to 'deny'. But now we see a mixture of 'deny' and or 'reset-both' for this rule. Before upgrading to 7.0.4 the action was always 'deny' as this is how the rule was setup

Is this to be expected? If so is there somewhere to read the explination?

Re: Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04

pulukas — Tue, 05 Jan 2016 11:26:00 GMT

Do you have a security profile attached to the rule?

I'm wondering if that traffic may be hitting a threat id that has an action for reset both.

Re: Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04

Brandon_Wertz — Tue, 05 Jan 2016 14:11:17 GMT

@lewishttps://downloads.paloaltonetworks.com/software/PAN-OS-7.0.4-RN.pdf?__gda__=1452055432_eb7de8c610922457f6e2196acd167d12

Under Changes to Default Behavior

"The default actions for handling threats now are alert or reset-both (sides of the connection). In releases prior to PAN-OS 7.0.0, the defaults were alert or block. On upgrade, the block action will be converted to reset-both; and the drop-packets option is now renamed as drop."

I looked at out "Application Deny Rule" which has no security profiles just the "deny" action selected and we've got "Reset-Both" as the action. So I guess it's just not a "threat" but for any "Deny." With the "drop" action now available. I'm guessing that selecting "Deny" is going to be the same as selecting "reset-both."

Re: Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04

lewis — Tue, 05 Jan 2016 17:40:13 GMT

this was a part of my initial thinking too as we do have security profiles associated to the rules. However under further invesigation the traffic in question is not associated to any threat signatures.

Re: Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04

lewis — Tue, 05 Jan 2016 17:42:46 GMT

Thanks Brandon_Wertz. I will have a look at this

Re: Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04

lewis — Mon, 25 Jan 2016 17:57:58 GMT

I have since logged a ticket with support and they are still investigating as a possible bug as the action should only match what the policy is set too.

Re: Action Configured in Security Rules and Seen in Traffic Log is Inconsistent 7.04

lewis — Tue, 02 Feb 2016 18:29:05 GMT

I just received notifaction from support indicating although the action is set to deny in the policy the actual action can be different.

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/networking-features/granular-actions-for-blocking-traffic-in-security-policy.html#13774