topic Do not see deny in traffic logs for traffic to internal server accessible via Public IP in General Topics

Do not see deny in traffic logs for traffic to internal server accessible via Public IP

MP18 — Wed, 20 Mar 2019 03:34:27 GMT

We have server reachable via Public IP say on port 13001 and 13002

We have Security rule

Source any

Zone outside

Destination 173.82.x.x IP of server

Zone inside

port 13001

Here i have not included the port 13002.

I have correct NAT policy for this.

When i see traffic logs i see

Source any

destination server public ip address

port 13002

action allow

source zone is outside

destination zone is outside.

need to know why i do not see deny for traffic on port 13002 from source zone outside to destination zone inside?

Re: Do not see deny in traffic logs for traffic to internal server accessible via Public IP

Mick_Ball — Wed, 20 Mar 2019 16:58:56 GMT

Hmmm.... this is a bit confusing...

to answer your question....

because you don't have an explicit "deny" policy for this traffic, so the palo will just drop the packets.

or maybe i have not understood your question.....

Re: Do not see deny in traffic logs for traffic to internal server accessible via Public IP

jeremy.larsen — Fri, 22 Mar 2019 19:30:58 GMT

You must select logging for your deny rule that this traffic traverses. The interzone-default deny rule (greyed out at the bottom of you list) does not have logging turned on by default. You can override this or create your own deny rule to catch these.

Re: Do not see deny in traffic logs for traffic to internal server accessible via Public IP

MP18 — Fri, 22 Mar 2019 20:16:15 GMT

logging is enabled.

I can see deny from other rules problem is only with this rule