topic Re: UDP log that hit any deny rule and show allow in General Topics

UDP log that hit any deny rule and show allow

hbshin — Sat, 16 Jun 2018 02:21:27 GMT

Hello, i have a question about UDP session

rule 34

untrust any

trust any

app icmp, traceroute, ping

service any

action allow

rule 214

any any deny

you can see allow log hit rule 214

i found similar case about tcp.

https://live.paloaltonetworks.com/t5/Management-Articles/Action-Configured-in-Security-Rules-and-Seen-in-Traffic-Log-is/ta-p/62785

i think UDP session was created hitting rule 34 but don't understand UDP log showing allow and hit rule 214

Could you explain this log?

Best regards.

Re: UDP log that hit any deny rule and show allow

BPry — Sun, 17 Jun 2018 04:51:58 GMT

@hbshin,

It might help if you expand one of the sessions so that we can actually see what happened. Just the log doesn't really tell anyone much, but it likely has to do with the fact that you are allowing icmp, traceroute, and ping on service any with an action of allow. My guess would be that if you look at the actual session you'll see something a little different than what the base log is showing in your traffic logs. -

Re: UDP log that hit any deny rule and show allow

Remo — Sun, 17 Jun 2018 17:01:55 GMT

@hbshin

It could be exactly the same behaviour as described in the article you mentionned as the applications in your screenshot are also analysed with a decoder. When you enable the start log or even better with a flow basic analysis you probably find out more about this.

But besides this behaviour with allow logs for a deny rule. From your screenshot it looks like your trust zone has private IP addresses (RFC1918), so may I ask you why you have a rule allowing ping, icmp and traceroute from the internet towards your internal network?

And: do you still have these "allowed"-deny-logs when you set the service in rule 34 to application-default?

Re: UDP log that hit any deny rule and show allow

hbshin — Sun, 17 Jun 2018 18:02:25 GMT

Hello, @Remo

why you have a rule allowing ping, icmp and traceroute from the internet towards your internal network?

- it replaced old checkpoint firewall

And: do you still have these "allowed"-deny-logs when you set the service in rule 34 to application-default?

- There is no allowed log in rule 214 after set the service in rule 34 to application-default

when allowed log created i was doing HA A-P Failover test.

There was always System log that HA state change from passive to active between Start time and Receive time in allowed log

In other words, i think allowed log session was started on peer.

Best regards.