topic Re: Rule with Deny action Allowing traffic in General Topics

Rule with Deny action Allowing traffic

nanukanu — Fri, 08 Mar 2019 09:07:19 GMT

Hi,

We facing an strange issue regarding filtering to some destinations.

We have a rule with 2 kinds of destination address:

1. Static Group Address defined in Palo Alto

2. External dynamic list (2 of them)

Those address are attached to a deny rule because are malicious url.

When take a look to the traffic log, we see that traffic hits the rule but the action is allow. We are running version 8.X

Any suggestion about that behaviour?

Re: Rule with Deny action Allowing traffic

TommieVanHove — Fri, 08 Mar 2019 10:23:05 GMT

Can you provide a bit more info?

i'm assuming the traffic being allowed is not actually hitting that policy rule in the logs?

also just to clarify:

you have 1 rule: containing a address group object. and 2 dynamic lists. not 2 sepearate rules?

Mind sharing the EDL url's?
also if the EDL uses url's, domains. make sure when to see if in monitoring tab the traffic being allowe dyou can resolve the url( checkbox at bottom of the page)

Re: Rule with Deny action Allowing traffic

nanukanu — Fri, 08 Mar 2019 10:39:50 GMT

Hi Tommie,

It's hitting the deny rule as you can see in the screenshoots below.

Regards,

Re: Rule with Deny action Allowing traffic

kiwi — Fri, 08 Mar 2019 10:43:34 GMT

Hi @nanukanu ,

My guess is that the traffic is allowed because the application isn't fully identified yet ...

It's normal for the firewall to allow some packets through to allow it to identify the application as seen in this article :

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliLCAS

Once the application is identified correctly it should block.

Hope this helps.

-Kiwi.

Re: Rule with Deny action Allowing traffic

nanukanu — Fri, 08 Mar 2019 10:58:55 GMT

Hi @kiwi,

But it's Just destination IP. I want to deny from any source to X destination IP block. Just layer 3.

I think the problem is related with external dynamic list. What happens if cannot reach the EDL? Block all traffic or allow? And what about if in the same rule we have edl and static? Which has more preference?

By the way are added to destination field in the ruleta, maybe must be added to URL field?

Thank you,

Re: Rule with Deny action Allowing traffic

kiwi — Fri, 08 Mar 2019 12:59:51 GMT

Hi @nanukanu ,

If you can't reach the EDL then there will not be anything to match on.

As for having both static and dynamic in one policy ... my guess it will process top down like a normal policy check. Static IPs are listed on top so they are checked first. If there's no match then it will process further down to the EDL lists. I haven't confirmed this but this seems logical to me.

Depending on what EDL you have configured you are limited on where you can use it :

You can use an IP address list as an address object in the source and destination of your policy rules;

you can use a URL List in Objects > Security Profiles > URL Filtering or as a match criteria in Security policy rules;

you can use a domain list in Objects > Security Profiles > Anti-Spyware Profile for sinkholing specified domain names.

Cheers !

-Kiwi

Re: Rule with Deny action Allowing traffic

nanukanu — Fri, 08 Mar 2019 14:11:34 GMT

Hi Kiwi,

Thank you for your response but not seems to clarify this behaviour.

Why action allow if rule says block? There's nothing to evaluate, just if you are trying to go to any address inside the EDL or static addres group just deny.

I understand what you say about identify application, but in this case it's just IP to IP decision.

Thank you!

Re: Rule with Deny action Allowing traffic

nanukanu — Mon, 18 Mar 2019 15:00:22 GMT

HI,

Any suggestion in this case?

After separate the rules (one with EDL and other with static group) seems that all is working fine, so it's something related about how PAN treat EDL and Static Groups in the same rule. Any new suggestion on that?

Regards!

Re: Rule with Deny action Allowing traffic

DPoppleton — Mon, 18 Mar 2019 18:24:04 GMT

Can you share screenshots of the rule?

Just looking at the logs, I only see 3 62-byte packets, and the traffic is incomplete. It looks like 3 SYN packets that go nowhere.

Re: Rule with Deny action Allowing traffic

aleksandar.astardzhiev — Mon, 18 Mar 2019 18:45:35 GMT

Hi @nanukanu,

What type are the EDLs? You mentioned that they are d URL list type, is that correct?

It is also possible that the firewall is allowing some traffic in order to get the actual URLs from the data. Once it retriefs the URLs it will evaluate the rules again to see if the this traffic is stil matching this rule (before that it is potential match, that is why some packets are allowed).

You should be easy to confirm if you filter the logs by address and not by rule name - that should give you all the rules that this traffic has hit.

But if you are right and the reason is that EDL is being used with static group in the same rule...This looks weard, not sure that the FW should act like that.

Re: Rule with Deny action Allowing traffic

nanukanu — Fri, 05 Apr 2019 12:59:01 GMT

Hi, finally the rules are separated and works correctly. We will remain in this configuration because is working, but I think a problem exists mixing static and dynamic url.

Thanks to all for your help,