https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/337902#M85024 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42264">@jeff6strings</a>,</P> <P>This is expected logic in the configuration validation, and while 9.1 made it better you won't see any major improvements until you get to utilize 10.0 in production. Thankfully PAN is finally taking notice that this is super annoying and can lead to admins missing more critical things when they essentially get trained to ignore commit warnings.</P> Sun, 12 Jul 2020 02:49:52 GMT BPry 2020-07-12T02:49:52Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/337806#M85019 <P>I have a firewall (lab unit) with version 9.1 and I configured two Security Policy Rules.</P><P>The top rule (1) is Trust to Untrust, a source user is a group, all default options, and an Action of Deny.</P><P>The second rule (2) is Trust to Untrust, a source user is a group (different from above), all default options, and an Action of Allow.</P><P>&nbsp;</P><P>When I commit the changes I receive a Rule Shadow warning stating rule 1 is shadowing rule 2. The commit succeeds but although both rules are the same, except for Deny and Allow, each is only different by the Source User and I would have thought it would know that. I assume this logic is not included in Shadow checks?</P><P>Thanks for any insight.</P><P>&nbsp;</P><P>Jeff</P> Fri, 10 Jul 2020 20:43:24 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/337806#M85019 jeff6strings 2020-07-10T20:43:24Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/337877#M85021 <P>Hi,</P><P>&nbsp;</P><P>I also noticed this behaviour with 9.0.9 (maybe other)...</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>HA</P> Sat, 11 Jul 2020 11:14:27 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/337877#M85021 slp-security 2020-07-11T11:14:27Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/337902#M85024 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42264">@jeff6strings</a>,</P> <P>This is expected logic in the configuration validation, and while 9.1 made it better you won't see any major improvements until you get to utilize 10.0 in production. Thankfully PAN is finally taking notice that this is super annoying and can lead to admins missing more critical things when they essentially get trained to ignore commit warnings.</P> Sun, 12 Jul 2020 02:49:52 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/337902#M85024 BPry 2020-07-12T02:49:52Z https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/338972#M85186 <P>Thank you for all the responses and hopefully, this is addressed in the coming versions.</P><P>&nbsp;</P><P>Jeff</P> Thu, 16 Jul 2020 14:13:48 GMT https://live.paloaltonetworks.com/t5/general-topics/shadow-rule-notice-really-not-a-shadow/m-p/338972#M85186 jeff6strings 2020-07-16T14:13:48Z