topic The Rule is allowed but hit policy-deny? in General Topics

The Rule is allowed but hit policy-deny?

DPWorld — Tue, 19 Mar 2019 22:20:50 GMT

Hi,

Recentely the firewall upgraded from 6.1.5 to 8.1.6 but after upgrading there is something strange, there is a allowed rule but in monitor tab it hit deny, i tried to move it to top but still the same issue ( Session End Reason: policy-deny ).

Any help will be highly appricated

Thanks

Re: The Rule is allowed but hit policy-deny?

BPry — Wed, 20 Mar 2019 02:35:58 GMT

@DPWorld,

Can you include a screenshot of the rule that the traffic should be hitting along with an example of the detailed log view of the traffic that is hitting the interzone-default policy.

Just to verify as well, are you actually hitting the interzone-default policy? If you are hitting the allow security entry that you expect, with the action being allow but the SER being policy-deny, you could possibly simply be running into a certificate pinning issue if you are running decryption.

Re: The Rule is allowed but hit policy-deny?

Abdul_Razaq — Wed, 20 Mar 2019 06:01:53 GMT

Hi @DPWorld ,

As you have moved from 6 to 8, there are changes to default actions in PA,

Check whether you are hitting the below policy behaviour change,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFtCAK

Re: The Rule is allowed but hit policy-deny?

DPWorld — Wed, 20 Mar 2019 06:58:01 GMT

Re: The Rule is allowed but hit policy-deny?

Abdul_Razaq — Wed, 20 Mar 2019 08:31:42 GMT

web-browsing standard port is tcp/80, your traffic is to tcp/8080 . And your policy will be to allow web-browsing only on standard ports, so it wont match to policy.

You need to allow web-browsing over tcp/8080 in security policy.