topic Re: Access rule is being used even though the destination server is not mentioned in the rule. in General Topics

Access rule is being used even though the destination server is not mentioned in the rule.

tejasmapuskar — Thu, 09 Apr 2020 21:27:52 GMT

Under traffic logs we are seeing communication is being allowed through an access rule which does not have a match for destination server. There is security profile attached to the rule. Can someone please explain this behavior of PA.

Re: Access rule is being used even though the destination server is not mentioned in the rule.

OtakarKlier — Thu, 09 Apr 2020 21:31:42 GMT

Hello,

The PAN will match a policy and route traffic accordingly. My guess is that you have a more generic policy above the more specific one. If I am not understanding this correctly, would you be able to screen shot the policy and the traffic log?

Regards,

Re: Access rule is being used even though the destination server is not mentioned in the rule.

tejasmapuskar — Thu, 09 Apr 2020 21:35:11 GMT

As i mentioned earlier, the destination is not in the rule still PA is allowing traffic using that rule.

Re: Access rule is being used even though the destination server is not mentioned in the rule.

DanilaKh — Fri, 10 Apr 2020 02:39:56 GMT

Hello @tejasmapuskar

It looks like you have the issue as in this KB. Additionally, you can test which policy applies to your traffic. See this KB.

Re: Access rule is being used even though the destination server is not mentioned in the rule.

tejasmapuskar — Fri, 10 Apr 2020 19:53:41 GMT

Please see the attached files. This is a similar instance where the source zone is not defined in the rule still firewall is using the rule to allow the communication.

Re: Access rule is being used even though the destination server is not mentioned in the rule.

DanilaKh — Fri, 10 Apr 2020 20:30:20 GMT

I agree. It looks weird. But, there is some uncertanity (lack of information) that does not allow me to say that something wrong with firewall's behaviour.

Based on the 'Monitor' page screenshot it looks like you are using Panorama to check logs. Could you please connect to the device via CLI and run the appropriate test command to identify policy to which traffic matches?

Re: Access rule is being used even though the destination server is not mentioned in the rule.

tejasmapuskar — Fri, 10 Apr 2020 21:22:07 GMT

The test security policy rule do not show the rule thats seen under the firewall logs. What does that mean? is this a cosmetic error.

Re: Access rule is being used even though the destination server is not mentioned in the rule.

DanilaKh — Fri, 10 Apr 2020 22:49:41 GMT

There is an additional explanation of such behaviour in this KB. But, the reason is the same, it is log's settings of the security policies.

In order to check if real data traffic matches to the expected security policy, I would identify the session ID in the log record (click on the 'magnifying glass' icon on the left side), then

1) connect to the firewall's CLI and run the command show session <session ID>

2) connect to the firewall's web UI, go to the Monitor > Session Browser (please note that you can open Session Browser in a firewall web UI only, not in Panorama), find the session with the same ID

3) check the policy name that this session matches.

If the policy name is correct, it will mean that you need to check one more time and make sure that log's settings of the security policies set as it is described in this KB.

Otherwise, I would suggest to open a support case in order to identify the reason of such behaviour.

Hope my answer would be helpful.

Re: Access rule is being used even though the destination server is not mentioned in the rule.

tejasmapuskar — Mon, 13 Apr 2020 02:02:35 GMT

We have logging enabled at the session end.

Re: Access rule is being used even though the destination server is not mentioned in the rule.

DanilaKh — Mon, 13 Apr 2020 12:31:55 GMT

Hello @tejasmapuskar ,

If you are seeing the expected security policy name in the results of test command and in the Session Browser of the firewall and log settings set to 'at the session end', but you are still observing incorrect security policy name in the logs, it could be a software bug. I would propose to submit a case to the vendor support.