https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/185305#M56707 <P>Creating a Deny-All rule is bad practice, don't do it. If there is intrazone traffic (Trust to Trust for example) that has not been allowed by a previous rule, this will be denied because your Deny-All rule will be matching before the Intrazone-default rule.</P><P>&nbsp;</P><P>You don't need to make a deny-all rule to see denied traffic, you can actually click the click the default intra/interzone-default rules, click "Override" next to the Clone button at the bottom to edit them, then you can enable the "Log at session end" options under the Action tab.</P> Fri, 03 Nov 2017 09:36:02 GMT LukeBullimore 2017-11-03T09:36:02Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/31004#M22690 <HTML><HEAD></HEAD><BODY><P>Stupid question. Just need confirmation.</P><P></P><P>PA (42020) devices are default deny correct?</P><P></P><P>If a packet is not specifically allowed or denied by a rule; when it gets to the bottom of the rules the default action is to deny, correct?</P><P></P><P></P><P></P><P>thanks</P><P>--CH</P></BODY></HTML> Wed, 17 Apr 2013 17:09:27 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/31004#M22690 choff123 2013-04-17T17:09:27Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/31005#M22691 <HTML><HEAD></HEAD><BODY><P>Yes its denied but not logged.</P><P></P><P>In order to get denied packets logged you need to manually put a security policy in the end that says:</P><P></P><P>srczone: any</P><P>dstzone: any</P><P>srcip: any</P><P>dstip: any</P><P>user: any</P><P>appid: any</P><P>service: any</P><P>options: log on session end</P><P>action: deny</P></BODY></HTML> Wed, 17 Apr 2013 17:11:43 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/31005#M22691 mikand 2013-04-17T17:11:43Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/31006#M22692 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>just be careful with such an "deny all" rule since it will break intrazone traffic (traffic ingress and egress the same zone, this also includes e.g. ping to a data interface when enabled).</P><P></P><P>You can temporarily enable logging of the default deny rule on the CLI: set system setting logging default-policy-logging</P></BODY></HTML> Wed, 17 Apr 2013 20:09:32 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/31006#M22692 Anon1 2013-04-17T20:09:32Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/184814#M56637 <P>With an intrazone rule created before it, is there a good reason (security purposes ot other) not to have the Deny All rule in place at the end? Or is it more of personal preference?</P> Tue, 31 Oct 2017 21:29:05 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/184814#M56637 Jermaine_Scott 2017-10-31T21:29:05Z https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/185305#M56707 <P>Creating a Deny-All rule is bad practice, don't do it. If there is intrazone traffic (Trust to Trust for example) that has not been allowed by a previous rule, this will be denied because your Deny-All rule will be matching before the Intrazone-default rule.</P><P>&nbsp;</P><P>You don't need to make a deny-all rule to see denied traffic, you can actually click the click the default intra/interzone-default rules, click "Override" next to the Clone button at the bottom to edit them, then you can enable the "Log at session end" options under the Action tab.</P> Fri, 03 Nov 2017 09:36:02 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-is-default-deny/m-p/185305#M56707 LukeBullimore 2017-11-03T09:36:02Z