https://live.paloaltonetworks.com/t5/general-topics/best-way-to-allow-all-traffic-for-troubleshooting/m-p/213767#M62157 <P>Hi people,&nbsp;</P><P>&nbsp;</P><P>I want to troubleshoot a connectvity issue.... typical problem where server guy says "it's a firewall issue". Can anyone suggest what's the best way to allow all traffic? I was thinking of traffic from my source (10.0.0.0/8) to destination B10.1.0.0/8) but use&nbsp;</P><P>Application: ANY</P><P>Service: ANY</P><P>log both start and stop</P><P>turn off virus checking,&nbsp;</P><P>turn off anti spoofing.&nbsp;</P><P>&nbsp;</P><P>I want to avoid any issues with application ports and service types. Is service any, application any the best way to make the policy to allow all traffic? Or should i consider specifying application unknown-tcp and unknown-udp with service any or application default?</P><P>&nbsp;</P><P>Any suggestions would help. thank you. D</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 09 May 2018 16:49:03 GMT Jedi_D 2018-05-09T16:49:03Z https://live.paloaltonetworks.com/t5/general-topics/best-way-to-allow-all-traffic-for-troubleshooting/m-p/213767#M62157 <P>Hi people,&nbsp;</P><P>&nbsp;</P><P>I want to troubleshoot a connectvity issue.... typical problem where server guy says "it's a firewall issue". Can anyone suggest what's the best way to allow all traffic? I was thinking of traffic from my source (10.0.0.0/8) to destination B10.1.0.0/8) but use&nbsp;</P><P>Application: ANY</P><P>Service: ANY</P><P>log both start and stop</P><P>turn off virus checking,&nbsp;</P><P>turn off anti spoofing.&nbsp;</P><P>&nbsp;</P><P>I want to avoid any issues with application ports and service types. Is service any, application any the best way to make the policy to allow all traffic? Or should i consider specifying application unknown-tcp and unknown-udp with service any or application default?</P><P>&nbsp;</P><P>Any suggestions would help. thank you. D</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 09 May 2018 16:49:03 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-to-allow-all-traffic-for-troubleshooting/m-p/213767#M62157 Jedi_D 2018-05-09T16:49:03Z https://live.paloaltonetworks.com/t5/general-topics/best-way-to-allow-all-traffic-for-troubleshooting/m-p/213778#M62158 <P>application unknown-tcp and unknown-udp will block all KNOWN applications</P><P>&nbsp;</P><P>app any/service any would be best IMO - make sure the rule is universal to truly allow ANY traffic.</P><P>&nbsp;</P><P>The logs will show you what applications and ports are actually in use.</P><P>&nbsp;</P><P>alternately, override the default allow and deny rules to add logging, and you will see if there is any traffic being allowed or denied silently without opening the firewall to all traffic.</P> Wed, 09 May 2018 17:25:44 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-to-allow-all-traffic-for-troubleshooting/m-p/213778#M62158 JoeAndreini 2018-05-09T17:25:44Z https://live.paloaltonetworks.com/t5/general-topics/best-way-to-allow-all-traffic-for-troubleshooting/m-p/213793#M62164 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/52883">@Jedi_D</a>,</P><P>I would generally do exactly what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83021">@JoeAndreini</a>&nbsp;mentioned at the end of his post. Simply override the logging on the intra/inter zone rules and see what the logs have to say. This way you aren't opening up anything for testing purposes but you can still see what the traffic looks like.&nbsp;</P><P>As a side note also ensure that you are looking in the unified logs and not just the traffic logs. Traffic may be allowed, however a threat is being identified that causes the firewall to close the session.&nbsp;</P> Wed, 09 May 2018 19:43:35 GMT https://live.paloaltonetworks.com/t5/general-topics/best-way-to-allow-all-traffic-for-troubleshooting/m-p/213793#M62164 BPry 2018-05-09T19:43:35Z