https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273607#M75053 <P>Rule shadowing is always because a more general rule is above more specific rule below it (as you are aware)</P><P>&nbsp;</P><P>Not knowing how many Source Zones you have... my recommendation is list all of the them in the source zone field vs using ANY.</P><P>&nbsp;</P><P>You could also do ANY source zone (but then put in the 3 internal unrouteable address 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)</P><P>Just need to modify the rule so it does not cause the shadowing.</P> Thu, 27 Jun 2019 17:08:41 GMT S.Cantwell 2019-06-27T17:08:41Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273444#M75033 <P>Hi,</P><P>&nbsp;</P><P>Recently I upgrades my firewall from PANOS 8.0.10 to 8.0.17.&nbsp; The upgrade went fine.&nbsp; However, after making a small configuration change (adding a new address object), my commit showed a Shadow Rule warning.&nbsp;&nbsp;</P><P>&nbsp;</P><P>The warning is associated with a rule that I have that is designed to Deny traffic from ANY zone and ANY application whose destination is the outsize (untrusted) zone with a desitnation address that is identified by Palo's External Dynamic lists "PaloAlto Networks High Risk Addresses" and "PaloAlto Known Malicious IP Addresses"</P><P>&nbsp;</P><P>This rule&nbsp; "Block Malicious Sites" is the first security rule that is defined.&nbsp; The warning indicates this rule shadoes anothe rule that is listed further down in my list that allows specific traffic (NTP application) to the outside.</P><P>&nbsp;</P><P>While I can move the "Block Malicious Site" rule further down the list, I can't comprehend why it would be considered shadowing.&nbsp; It seems to me the rule targets specific address, essentially those identified in the dynamic list.&nbsp; If it truly were shadowing, I would have thought I would have seen this warning prior to my upgrades from 8.0.10 to 8.0.17.&nbsp; It seems to me that something has changed in the way the firewall evaluated the rules.</P><P>&nbsp;</P><P>Has anyone else seen this behavior or have any ideas on what might be happening?&nbsp;&nbsp;</P><P>I appreciate any input.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P> Thu, 27 Jun 2019 09:27:58 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273444#M75033 sgoethals 2019-06-27T09:27:58Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273593#M75049 <P>Post a screenshot of the two rules, and (if possible) the full text of the error message.</P> Thu, 27 Jun 2019 15:53:35 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273593#M75049 fjwcash 2019-06-27T15:53:35Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273607#M75053 <P>Rule shadowing is always because a more general rule is above more specific rule below it (as you are aware)</P><P>&nbsp;</P><P>Not knowing how many Source Zones you have... my recommendation is list all of the them in the source zone field vs using ANY.</P><P>&nbsp;</P><P>You could also do ANY source zone (but then put in the 3 internal unrouteable address 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)</P><P>Just need to modify the rule so it does not cause the shadowing.</P> Thu, 27 Jun 2019 17:08:41 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273607#M75053 S.Cantwell 2019-06-27T17:08:41Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273615#M75055 <P>Thanks for the help <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113304">@S.Cantwell</a></P><P>&nbsp;</P><P>I first tried to just change the Source Zones from Any to the specific zones I wanted to use. as you suggested.&nbsp; This didn't seem to help.&nbsp; I still received a warning indicating it was shadowing.&nbsp; I then went ahead and added as a source address the regions (based on my address schemes) of 10.0.0.0 - 10.255.255.255 and 192.168.0.0-192.168.255.255.</P><P>&nbsp;</P><P>Upon making this change, the validation of the commit worked fine and I was able to sucessfully commit the configuration.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Jun 2019 18:49:22 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/273615#M75055 sgoethals 2019-06-27T18:49:22Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/336800#M84881 <P>Are you sure this is the right solution?</P><P>&nbsp;</P><P>Check difference in results between Validate and Commit actions:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNvNCAW" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNvNCAW</A></P><P>&nbsp;</P><P>This was the solution for me.</P> Tue, 07 Jul 2020 01:41:05 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-warning/m-p/336800#M84881 SimonT 2020-07-07T01:41:05Z