topic Re: Unexpected behaviour in security policy in General Topics

Unexpected behaviour in security policy

Jafar_Hussain — Mon, 27 Jul 2020 18:18:27 GMT

I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone

There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - Create an address object for 2.2.2.2.
Application - ANY
services - ANY
Action - Allow
no security profile.

Policy(2):-

sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.

I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible why this strange behaviour i am not able to find out.

once i applied policy -2 the traffic has been dropped.

PAN-OS version - 9.0.9-h1

Re: Unexpected behaviour in security policy

OtakarKlier — Mon, 27 Jul 2020 21:29:41 GMT

Hello,

I would say make sure you have logging enabled on the policy and check the logs to see why the PAN is denying the traffic.

Regards,

Re: Unexpected behaviour in security policy

Jafar_Hussain — Tue, 28 Jul 2020 10:00:05 GMT

@OtakarKlier

Yes , i have checked the same , once i applied policy-1 it will bypass all the policy and heat directly to deny any-any.

And i can see the traffic is dropped.

Re: Unexpected behaviour in security policy

OtakarKlier — Tue, 28 Jul 2020 14:34:08 GMT

Hello,

This is definitely interesting. I would suggest opening a support case and see what they can find.

Regards,

Re: Unexpected behaviour in security policy

MP18 — Tue, 28 Jul 2020 17:11:48 GMT

@Jafar_Hussain

I will say check the objects, addresses then look for source and destination address.

Make sure under IP netmask it is 1.1.1.1

or 2.2.2.2

Regards

Re: Unexpected behaviour in security policy

Jafar_Hussain — Tue, 28 Jul 2020 17:44:11 GMT

@MP18

Thanks for your reply, my concern is why the firewall deny traffic once i configure the security policy-1 and given the IP address in destination, however, once i created the object for the same IP address and allow in destination all are working fine.

This issue is occurring only for one IP address rest are working fine.

I am not able to find out the reason.