topic Re: Persistent issue with APP-ID Reliability in General Topics

Persistent issue with APP-ID Reliability

scottoliver — Tue, 29 Oct 2019 17:25:04 GMT

Hello all. I have had an issue with PANOS since 7.0 (Currently I am on 9.0.2-h2) where the application id feature is not reliable in security rules. I can add a rule and for example lets say I allow ssl to 10.1.1.1 from 10.2.1.1 no user restrictions and just add the ssl application and commit. Then I try to access https on 10.1.1.1 from 10.2.1.1 and the traffic will be allowed. Then an hour later I try again and this time it will drop. When I go into monitor. Below is legitimate traffic being dropped because the application is "not-applicable"

In order to resolve this what I have to do is clone the rule and place it below or above and remove the applications and set it to any then set service to select and choose 443. I have so many redundant rules because of this and I am sick of doing it. Does anyone else have this problem or is it just me?

Re: Persistent issue with APP-ID Reliability

kiwi — Wed, 30 Oct 2019 12:56:19 GMT

Hi @scottoliver ,

Do you get any more information in the log details ?

Not-applicable usually means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service:

Not-applicable in Traffic Logs

Cheers !

-Kiwi.

Re: Persistent issue with APP-ID Reliability

scottoliver — Thu, 31 Oct 2019 21:49:54 GMT

Still no resolution on this I have opened ticket but no fixes yet