https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248592#M70711 <P>I'm seeing an odd issue where I've got a rule allowing sflow traffic coming from a WAN zone into my server zone where my monitoring servers sit.&nbsp; Most of the traffic passes as it should, but there are random subnets where the rule is being denied with it showing it is hitting the default deny policy.&nbsp; The only filtering on the rule is for port 2055, coming from the WAN zone and into the server zone.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Any ideas?&nbsp;&nbsp;</P> Sat, 02 Feb 2019 17:31:21 GMT scott.jones 2019-02-02T17:31:21Z https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248592#M70711 <P>I'm seeing an odd issue where I've got a rule allowing sflow traffic coming from a WAN zone into my server zone where my monitoring servers sit.&nbsp; Most of the traffic passes as it should, but there are random subnets where the rule is being denied with it showing it is hitting the default deny policy.&nbsp; The only filtering on the rule is for port 2055, coming from the WAN zone and into the server zone.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Any ideas?&nbsp;&nbsp;</P> Sat, 02 Feb 2019 17:31:21 GMT https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248592#M70711 scott.jones 2019-02-02T17:31:21Z https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248616#M70722 <P>Hello,</P><P>Is the incoming sflow traffic on port 2055? The logs should show what is getting blocked, ie. source, destination, etc. Also I would change the policy to layer 7 by using the sflow application.</P><P>&nbsp;</P><P>Cheers!</P> Sun, 03 Feb 2019 00:52:46 GMT https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248616#M70722 OtakarKlier 2019-02-03T00:52:46Z https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248630#M70729 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/103335">@scott.jones</a>,</P><P>Utilizing the&nbsp;<EM>'test security-policy-match'</EM> command in the CLI with one of the denied flows should verify that the traffic&nbsp;<EM>should</EM> be matching your intended security entry.&nbsp;</P> Sun, 03 Feb 2019 02:21:46 GMT https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248630#M70729 BPry 2019-02-03T02:21:46Z https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248708#M70744 <P>That ended up doing the trick.&nbsp; Still not sure why some sites worked and others didn't, but when I switched to the app rule, it started passing traffic.</P><P>&nbsp;</P><P>thanks again for the help!</P> Mon, 04 Feb 2019 13:43:35 GMT https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248708#M70744 scott.jones 2019-02-04T13:43:35Z https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248709#M70745 <P>This will come in handy for sure going forward.&nbsp; ended up switching to the app rule for sflow and getting rid of the port-based config, and now it's allowing the traffic through.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thanks for the info!</P> Mon, 04 Feb 2019 13:44:51 GMT https://live.paloaltonetworks.com/t5/general-topics/sflow-traffic-denied-from-certain-ips-even-though-rule-allows-it/m-p/248709#M70745 scott.jones 2019-02-04T13:44:51Z