https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/388320#M90483 <P>Not applicable is because the firewall does not waste resources trying to identify it when it's already matched the deny rule.</P><P>&nbsp;</P><P>Are you sure the rule is set up correctly? When NAT is involved, the security rule should be to the pre-NAT IP, but the post-NAT zone.</P><P>&nbsp;</P><P>- DM</P> Sun, 28 Feb 2021 17:17:44 GMT dmifsud 2021-02-28T17:17:44Z https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/385421#M90142 <P>Hi All,</P><P>&nbsp;</P><P>I have a security rule to allow ip "A" to ssh to ip "B". I can see the traffic actually hitting the fw but it gets dropped with interzone-default. The test policy match also verifies that it matches the traffic.</P><P>&nbsp;</P><P>IP "B" is actually the firewall. And IP "B" is nated like this: original packet source IP "C", original packet dest&nbsp; ip "A", translated packet source ip "B".</P><P>&nbsp;</P><P>How can this happen? So the traffic hitting the firewall has an explicit allow rule but still missed.</P><P>&nbsp;</P><P>IP "A" is on the other end of the IPSec tunnel and when this traffic comes, it successfully creates a child SA. Routing is also set up for IP "A"</P><P>&nbsp;</P><P>Chhers,</P><P>Daniel</P> Thu, 11 Feb 2021 15:02:16 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/385421#M90142 olloczky 2021-02-11T15:02:16Z https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/385612#M90163 <P>I also noticed that in the logs it says "application not-applicable". But the log clearly says that it is port 22 which is used... very strange..</P> Fri, 12 Feb 2021 08:50:11 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/385612#M90163 olloczky 2021-02-12T08:50:11Z https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/388320#M90483 <P>Not applicable is because the firewall does not waste resources trying to identify it when it's already matched the deny rule.</P><P>&nbsp;</P><P>Are you sure the rule is set up correctly? When NAT is involved, the security rule should be to the pre-NAT IP, but the post-NAT zone.</P><P>&nbsp;</P><P>- DM</P> Sun, 28 Feb 2021 17:17:44 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/388320#M90483 dmifsud 2021-02-28T17:17:44Z https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/388409#M90503 <P>not-applicable is because the sesison is dropped, so the firewall doesn't care which application it is</P><P>&nbsp;</P><P>In regards to NAT:&nbsp; you're connecting from A to B, but then have a NAT rule from C to A source B?</P><P>your nat rule is supposed to allign with the direction the session is being established in</P><P>so unless you forgot to mension bidirection is enabled, this will never work</P><P>&nbsp;</P><P>&nbsp;but then you add that IP A is at the remote end of an IPSec tunnel, so the tunnel happens between D and B?</P><P>A will actually egress out of the tunnel interface, this should be a different zone than interface B. Did you account for this in the NAT rule?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 01 Mar 2021 16:27:10 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-not-matching-actual-traffic/m-p/388409#M90503 reaper 2021-03-01T16:27:10Z