topic policy is clear yet traffic is still DENIED in General Topics

policy is clear yet traffic is still DENIED

igs1917 — Mon, 14 Dec 2020 03:40:31 GMT

hi all, we have a policy that clearly states FROM and TO objects and SMB_override (custom app, I presume, created earlier) as the application. The service is configured as Application-default. As per Monitor, it goes straight through to the deny rule ignoring our Allow rule. The application is correctly identified, the port is right. all looks good. Yet it's being denied. It's not the first time PA does it. It's very frustrating. People now want ANY to ANY because PA works half the time

Re: policy is clear yet traffic is still DENIED

BPry — Mon, 14 Dec 2020 04:59:50 GMT

@igs1917,

What version of PAN-OS are you running? It doesn't give a lot of confidence that you are talking about using a custom app-id entry and you're presuming how it was configured if I'm being honest. How was the custom app-id configured? Are you using an application-override policy to override the traffic to your custom SMB_override app-id entry, or are you relying on a signature to identify the traffic?

When you log into the CLI and run the test security-policy-match command and enter the traffic exactly as displayed in one of the denied log entries is it showing a match in your security rulebase? If you can, share a few copies of the log that isn't matching the target security rulebase entry and the actual entry; chances are something is just improperly configured.

Re: policy is clear yet traffic is still DENIED

igs1917 — Mon, 14 Dec 2020 05:19:29 GMT

Thank you, appreciate your help. We are running 9.0.9

Just a basic policy with a custom application. Basic custom app (SMB_Override) with a port (tcp/445). PA correctly recognizes it. I can do screenshot. I can see in the logs it's tcp 445. Yet it just does not work. It's not the first time.

I just had a look and the policy is set to "universal". all the rest are Interzone.

Re: policy is clear yet traffic is still DENIED

BPry — Mon, 14 Dec 2020 05:27:48 GMT

@igs1917,

Screenshots would help a lot in this case. The issue with the custom app-id is really more to do with how it, and associated rulebase entries, have been configured. Does your SMB_override have a default port of tcp/445 listed so that your application-default on the service will actually function? Are you using a signature to identify the traffic or an application-override entry? I would assume with something named SMB_override you are simply using an application-override entry to disable layer7 processing on SMB traffic.

Generally speaking, the firewall won't simply skip processing the traffic properly. More than likely, the denied traffic isn't actually 100% matching something within the security rulebase entry. That could have something to do with how the application-override (assuming there is an entry) is setup, or how the security rulebase entry itself is setup. Something however is causing the firewall to think that traffic doesn't match anymore.

Re: policy is clear yet traffic is still DENIED

igs1917 — Mon, 14 Dec 2020 05:57:05 GMT

no signature. A strict default port. That is hard set in the app.

it is logical that it shouldn't just skip.

new update: I am looking at the firewall direct and the rule is missing all together, whereas in Panorama it's there. It could be that when new policy was created and was not pushed?

Re: policy is clear yet traffic is still DENIED

reaper — Mon, 14 Dec 2020 08:03:03 GMT

If the rule isn't there on the firewall, that means it hasn't been pushed down from Panorama yet, which would explain why the traffic is hitting the deny rule