https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203291#M59903 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>&nbsp;</P><P>Yup I opened a case with TAC yesterday and am collecting information for them now. I do have a lot of issues that seem to fall outside of the norm</P> Fri, 02 Mar 2018 16:02:37 GMT jdprovine 2018-03-02T16:02:37Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203154#M59879 <P>I recently upgraded to OS 7.1.15 on my PA 5050, I have two rules with schedules on them and have had for over a year.&nbsp; In the traffic logs it was showing the traffic going back and forth between denying and allowing the traffic.&nbsp; When I removed the schedules they worked with no issues. Any ideas what could be going on?</P> Thu, 01 Mar 2018 20:32:26 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203154#M59879 jdprovine 2018-03-01T20:32:26Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203251#M59890 <P>what does the policy look like and how is the schedule set? are you seeing both allow AND deny happening on the same rule?</P> <P>&nbsp;</P> <P>the behavior for an <EM>allow</EM> rule, with a schedule 9am-11am should be:</P> <UL> <LI>connection at 8:50 is processed by a rule below the one with schedule, blocked/allowed by a different rule</LI> <LI>connection at 9:01 is allowed by rule</LI> <LI>(new) connection at 11:01 is processed by a rule below the schedule one, existing session that was allowed by policy is still active and will be left to live it's life (unless action is taken to terminate the session)</LI> </UL> <P>&nbsp;</P> <P>the behavior for a<EM> deny</EM> rule, with a schedule 9am-11am should be:</P> <P>&nbsp;</P> <UL> <LI>connection at 8:50 is processed by a rule below the one with schedule, blocked/allowed by a different rule</LI> <LI>connection at 9:01 is blocked by rule</LI> <LI>(new) connection at 11:01 is processed by a rule below the schedule one, here is a bit of a caveat: if appID is let to create a session before hitting the block rule (eg your block rule is built with applications rather than ports, a session first needs to be created before being able to block based on the app) an existing 'discard phase' session could still be blocking packets matching the tuples after the schedule ends (this is measured in seconds to a few minutes, usually)</LI> </UL> <P>so if you could provide a little more detail, that would be helpful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Fri, 02 Mar 2018 10:30:12 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203251#M59890 reaper 2018-03-02T10:30:12Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203266#M59895 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>Yes I am seeing both allow and deny on the same rule within seconds.&nbsp; Its been working consistently for over a year until this week. I upgraded the PA to 7.1.15 from 7.1.13 a week ago. I also reset the regions around the same time. This was allowing our student access to certain server/application from a specific wireless IP range to a specific IP. the rules are built with applications not ports, we took off several things(put them back if it didn't fix it) before we found that removing the schedule fixed it</P><P>Here is the schedule information:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="schedule.PNG" style="width: 549px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14092iCC8AEB54D08D97EC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="schedule.PNG" alt="schedule.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 02 Mar 2018 13:39:23 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203266#M59895 jdprovine 2018-03-02T13:39:23Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203269#M59896 <P>hm... that's not supposed to happen...</P> <P>&nbsp;</P> <P>the schedule should make the rules 'invisible' outside of the schedule so they get passed by when the 'decission making process' happens, not reverse the action ...</P> <P>&nbsp;</P> <P>have you reached out to support on this already? If not I'd do that asap <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Fri, 02 Mar 2018 13:46:32 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203269#M59896 reaper 2018-03-02T13:46:32Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203270#M59897 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>&nbsp;</P><P>here is a sample of the traffice and is bouncing betweening allowing and dropping the traffic with in minutes. It is being denied by the clean up rule and goes off and on through the rule designed to allow the traffic</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic.PNG" style="width: 781px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14093i187E5388DDE20064/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="traffic.PNG" alt="traffic.PNG" /></span></P> Fri, 02 Mar 2018 13:47:18 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203270#M59897 jdprovine 2018-03-02T13:47:18Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203272#M59898 <P>hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a></P> <P>&nbsp;</P> <P>ok, that looks more normal than I first expected <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>would you mind adding the rest of the log in there to get a more complete view? (feel free to obfuscate sensitive data ofcourse)</P> Fri, 02 Mar 2018 13:49:53 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203272#M59898 reaper 2018-03-02T13:49:53Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203274#M59899 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>I feel like a politician redacting classified information this isn't pretty but here it is</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="traffic.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14094i99BBDCA89662E7B1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="traffic.PNG" alt="traffic.PNG" /></span></P> Fri, 02 Mar 2018 13:58:35 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203274#M59899 jdprovine 2018-03-02T13:58:35Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203287#M59902 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a></P> <P>Ok, that does look pretty weird</P> <P>I fear you will need to have a little chat with support about this</P> Fri, 02 Mar 2018 14:55:04 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203287#M59902 reaper 2018-03-02T14:55:04Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203291#M59903 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>&nbsp;</P><P>Yup I opened a case with TAC yesterday and am collecting information for them now. I do have a lot of issues that seem to fall outside of the norm</P> Fri, 02 Mar 2018 16:02:37 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203291#M59903 jdprovine 2018-03-02T16:02:37Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203292#M59904 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a></P><P>&nbsp;</P><P>Forgot to say is it weird cause of the way I redacted it or how it is behaving LOL <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Fri, 02 Mar 2018 16:03:36 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203292#M59904 jdprovine 2018-03-02T16:03:36Z https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203339#M59912 <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a> haha! Because of the behavior, I won't comment on your 'paint' skillz <span class="lia-unicode-emoji" title=":winking_face:">😉</span> Fri, 02 Mar 2018 18:57:56 GMT https://live.paloaltonetworks.com/t5/general-topics/rules-with-schedules-failing-intermittantly/m-p/203339#M59912 reaper 2018-03-02T18:57:56Z