https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172854#M54493 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/50331">@MPI-AE</a>,</P><P>If I would have to guess you likely want to take a look at the below article. It sounds like you don't have session-rematch enabled and the session wasn't getting properly closed on the session table.&nbsp;</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-Session-Rematch-Works/ta-p/60326" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-Session-Rematch-Works/ta-p/60326</A></P> Wed, 23 Aug 2017 14:19:26 GMT BPry 2017-08-23T14:19:26Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172359#M54383 <P>Hey all!</P><P>There is a strange problem with my PA 3020 7.1.7:</P><P>I need access from a client pc to a printer with many ports so for testing I set up a security rule with application any and service any.</P><P>The rule is enabled but it's not effective.</P><P>The firewall even doesn't have traffic logs for this connection.</P><P>&nbsp;</P><P>I already had this problem in the past, I don't know anymore how I solved it.</P><P>&nbsp;</P><P>Are there some things I can do?</P><P>&nbsp;</P><P>Thank you!</P> Mon, 21 Aug 2017 08:28:04 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172359#M54383 MPI-AE 2017-08-21T08:28:04Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172367#M54384 <P>Hi,</P><P>&nbsp;</P><P>Did you enable log in the new policy? Are you sure that the user's traffic is passing (or should pass) the firewall in order to reach the printer?&nbsp;For the test create any to any zone with the source ip of the test pc going to the destination ip of the printer.&nbsp;</P> Mon, 21 Aug 2017 08:43:01 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172367#M54384 TranceforLife 2017-08-21T08:43:01Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172402#M54388 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/50331">@MPI-AE</a></P><P>In addition to <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37163">@TranceforLife</a>'s question: if you log the traffic, do you have no logs for that rule or effectively for that connection (src and dst IP as filter)?</P><P>Or is the printer may be not responding (or wrong/no default gateway?) And you have a rule above your any-any-allow rule with an application with default ports "tcp/udp/dynamic", so all connections never hit your test-rule?</P> Mon, 21 Aug 2017 13:37:45 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172402#M54388 Remo 2017-08-21T13:37:45Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172501#M54417 <P>If pc sends traffic to printer but printer does not answer then Palo logs application as incomplete.</P><P><A title="https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711" href="https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711</A></P><P>&nbsp;</P><P>Does traffic pass firewall? Even if PC and printer are in different subnet there might be Layer3 switch routing traffic between internal subnets.</P><P>Does traffic match this test rule? I mean are source/destination zones correct etc?</P> Tue, 22 Aug 2017 01:46:00 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172501#M54417 Raido_Rattameister 2017-08-22T01:46:00Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172768#M54471 <P>Thanks for your answers!</P><P>&nbsp;</P><P>I'm not sure what was the exact problem.</P><P>&nbsp;</P><P>The connection is now working, but I didn't change anything.</P><P>&nbsp;</P><P>That's very strange.</P><P>&nbsp;</P><P>But thanks for your support, though!</P> Wed, 23 Aug 2017 07:34:37 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172768#M54471 MPI-AE 2017-08-23T07:34:37Z https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172854#M54493 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/50331">@MPI-AE</a>,</P><P>If I would have to guess you likely want to take a look at the below article. It sounds like you don't have session-rematch enabled and the session wasn't getting properly closed on the session table.&nbsp;</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-Session-Rematch-Works/ta-p/60326" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-Session-Rematch-Works/ta-p/60326</A></P> Wed, 23 Aug 2017 14:19:26 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-3020-new-security-rule-isn-t-active/m-p/172854#M54493 BPry 2017-08-23T14:19:26Z