https://live.paloaltonetworks.com/t5/general-topics/why-is-this-traffic-allowed-when-the-rule-should-not-allow-it/m-p/220541#M63605 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71756">@RobinClayton</a></P><P>&nbsp;</P><P>You're correct with your comment "Is it just the perculiarity of the firewall knowing "FTP" creates new return sessions and these are allowed logged? I can't see anything in the opposite direction for the other services."</P><P>&nbsp;</P><P>It is the way that the firewall is creating "predict" sessions for FTP ALG.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Palo-Alto-Networks-Firewall-Session-Overview/ta-p/55633" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Palo-Alto-Networks-Firewall-Session-Overview/ta-p/55633</A></P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/application-level-gateways" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/application-level-gateways</A></P><P>&nbsp;</P><P>As a "workaround" to this, you can create an Application-Override policy for the FTP traffic which would in turn disable FTP ALG.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-for-FTP/ta-p/58420" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-for-FTP/ta-p/58420</A></P><P>&nbsp;</P><P>Thanks,</P><P>Luke.</P> Wed, 04 Jul 2018 15:12:29 GMT LukeBullimore 2018-07-04T15:12:29Z https://live.paloaltonetworks.com/t5/general-topics/why-is-this-traffic-allowed-when-the-rule-should-not-allow-it/m-p/220534#M63604 <P>&nbsp;</P><P>I am tidying up some rules that were "rush" jobs as part of the initial deployment.</P><P>&nbsp;</P><P><STRONG>One rule&nbsp;"TEST-VI"&nbsp;was&nbsp;</STRONG></P><P>SRC ZONE - TRUST&nbsp;&nbsp;<BR />DST ZONE - Partners<BR />DST Addr - I%%%%%A-VIP</P><P>Application - Any</P><P>&nbsp;</P><P>I was going to get rid of this as there is another rule after it with "Service 20,988,5678" which would be a better match.</P><P>&nbsp;</P><P>But when I looked at the tracffic for the rule <STRONG>"TEST-VI"</STRONG></P><P>&nbsp;</P><P>???I see traffic going in both directions "Trust -&gt; Partners" but also "Partners -&gt; Trust"???</P><P>&nbsp;</P><P>The NAT rule matches the sources and destinations.</P><P>Source (Trust) = 128.%.%.22<BR />Dest (Trust) = 128.%.%.244<BR />Source Translated = 192.%.%.111<BR />Dest Translated = 192.%.%.254</P><P>&nbsp;</P><P>Why is the security rule allowing the traffic Partner to Trust??<BR /><BR />Is it just the perculiarity of the firewall knowing "FTP" creates new return sessions and these are allowed logged? I can't see anything in the opposite direction for the other services.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15772iD4F3B3D960B1D49C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="palo.jpg" alt="palo.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Jul 2018 14:53:28 GMT https://live.paloaltonetworks.com/t5/general-topics/why-is-this-traffic-allowed-when-the-rule-should-not-allow-it/m-p/220534#M63604 RobinClayton 2018-07-04T14:53:28Z https://live.paloaltonetworks.com/t5/general-topics/why-is-this-traffic-allowed-when-the-rule-should-not-allow-it/m-p/220541#M63605 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71756">@RobinClayton</a></P><P>&nbsp;</P><P>You're correct with your comment "Is it just the perculiarity of the firewall knowing "FTP" creates new return sessions and these are allowed logged? I can't see anything in the opposite direction for the other services."</P><P>&nbsp;</P><P>It is the way that the firewall is creating "predict" sessions for FTP ALG.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Palo-Alto-Networks-Firewall-Session-Overview/ta-p/55633" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Palo-Alto-Networks-Firewall-Session-Overview/ta-p/55633</A></P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/application-level-gateways" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/application-level-gateways</A></P><P>&nbsp;</P><P>As a "workaround" to this, you can create an Application-Override policy for the FTP traffic which would in turn disable FTP ALG.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-for-FTP/ta-p/58420" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-for-FTP/ta-p/58420</A></P><P>&nbsp;</P><P>Thanks,</P><P>Luke.</P> Wed, 04 Jul 2018 15:12:29 GMT https://live.paloaltonetworks.com/t5/general-topics/why-is-this-traffic-allowed-when-the-rule-should-not-allow-it/m-p/220541#M63605 LukeBullimore 2018-07-04T15:12:29Z https://live.paloaltonetworks.com/t5/general-topics/why-is-this-traffic-allowed-when-the-rule-should-not-allow-it/m-p/220543#M63607 <P>Ahh good, that means I should be good to disable the bad rule and leave the correct rule and ALG to do the job.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Rob</P> Wed, 04 Jul 2018 15:35:40 GMT https://live.paloaltonetworks.com/t5/general-topics/why-is-this-traffic-allowed-when-the-rule-should-not-allow-it/m-p/220543#M63607 RobinClayton 2018-07-04T15:35:40Z