https://live.paloaltonetworks.com/t5/general-topics/same-zone-traffic-to-inside-hitting-different-rules/m-p/160449#M52300 <P>Hey,</P><P>&nbsp;</P><P>Can you post the screen shot&nbsp;of your policy set-up, please? Who is the&nbsp;source and who is the destination? Do you think destination(s) .141 and .2 are in the different zones?&nbsp; &nbsp;Usually, device will do exactly what you have asked it to do. Unfortunately, this is not always the same as what you want.</P> Fri, 09 Jun 2017 20:32:39 GMT TranceforLife 2017-06-09T20:32:39Z https://live.paloaltonetworks.com/t5/general-topics/same-zone-traffic-to-inside-hitting-different-rules/m-p/160438#M52298 <P>Howdy All,</P><P>&nbsp;</P><P>I'm running into an issue where traffic from "Colo-Voice" segment bound to Any on the inside is hittin an "Any L3" policy (shown below) that's in place as the last policy. During our capture, we can see there's another host from the same segment bound for the same segment however it is hitting the "Cisco Voice-to-Internal_Trust" policy (as it should be.) Below are the two rules configured on the PAN. We can't see to figure out why the host hitting the "Any L3" policy is not hitting the "Cisco Voice-to-Internal_Trust". For all sense and purposes, this traffic "should" hit the Cisco Voice...policy first.</P><P>&nbsp;</P><P>Our goal is to finally be able to remove the "Any L3" policy so that the PAN can be locked down.</P><P>&nbsp;</P><P>Any input on this is greatly appreciated.</P><P>&nbsp;</P><P>================================</P><P>}<BR />"Cisco Voice-to-Internal_Trust" {<BR />from Colo-Voice;<BR />to Internal_Trust;<BR />source 10.10.60.0/24;<BR />destination any;<BR />source-user any;<BR />category any;<BR />application [ cisco-rtmt informix ms-office365-base ntp outlook-web-online rmi-iiop rtcp rtp-base sccp sip ssh ssl tftp web-browsing];<BR />service any;<BR />hip-profiles any;<BR />action allow;<BR />}</P><P>&nbsp;</P><P>"Any L3" {<BR />from [ Colo-Voice FW_110 Mgmt P2P SF-113 SF-114 SF-115 SF-116 Trust UCS-Mgmt Internal_Trust];<BR />to [ Colo-Voice FW_110 Mgmt P2P SF-113 SF-114 SF-115 SF-116 Trust UCS-Mgmt Internal_Trust];<BR />source any;<BR />destination any;<BR />source-user any;<BR />category any;<BR />application any;<BR />service any;<BR />hip-profiles any;<BR />action allow;<BR />profile-setting {<BR />group Monitor;<BR />}<BR />disabled no;</P><P>&nbsp;</P><P><SPAN>================================</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9614i337873048E2CBA31/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></SPAN></P> Fri, 09 Jun 2017 18:26:41 GMT https://live.paloaltonetworks.com/t5/general-topics/same-zone-traffic-to-inside-hitting-different-rules/m-p/160438#M52298 F.Ledesma 2017-06-09T18:26:41Z https://live.paloaltonetworks.com/t5/general-topics/same-zone-traffic-to-inside-hitting-different-rules/m-p/160449#M52300 <P>Hey,</P><P>&nbsp;</P><P>Can you post the screen shot&nbsp;of your policy set-up, please? Who is the&nbsp;source and who is the destination? Do you think destination(s) .141 and .2 are in the different zones?&nbsp; &nbsp;Usually, device will do exactly what you have asked it to do. Unfortunately, this is not always the same as what you want.</P> Fri, 09 Jun 2017 20:32:39 GMT https://live.paloaltonetworks.com/t5/general-topics/same-zone-traffic-to-inside-hitting-different-rules/m-p/160449#M52300 TranceforLife 2017-06-09T20:32:39Z https://live.paloaltonetworks.com/t5/general-topics/same-zone-traffic-to-inside-hitting-different-rules/m-p/160460#M52302 <P>Hi,</P><P>&nbsp;</P><P>Cap11 shows some of the rules above the 'Any L3'. &nbsp;Cap12 shows the 'Any L3' Rule. &nbsp;I have screen cap of all the policies that precede the&nbsp;<SPAN> "Cisco Voice-to-Internal_Trust".</SPAN></P><P>&nbsp;</P><P><SPAN>Please advise if anything else is needed.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks!<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cap11" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9616iC8D46050707D4B3F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture11.PNG" alt="Cap11" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Cap11</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cap12" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9615i191A95135C693F83/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture12.PNG" alt="Cap12" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Cap12</span></span></SPAN></P> Fri, 09 Jun 2017 21:05:46 GMT https://live.paloaltonetworks.com/t5/general-topics/same-zone-traffic-to-inside-hitting-different-rules/m-p/160460#M52302 F.Ledesma 2017-06-09T21:05:46Z