https://live.paloaltonetworks.com/t5/general-topics/why-traffic-log-shows-that-traffic-match-allow-policy-but-the/m-p/388605#M90522 <P>Does anyone have following experience and could give me some idea to fix this issue?</P><P>&nbsp;</P><P>Thanks a lot ~</P><P>&nbsp;</P><P>I found sometimes the traffic log shows that traffic match allow policy but the result was reset by default deny policy.</P><P>&nbsp;</P><P>For example:</P><P>&nbsp;</P><P>I have a policy for allow some users to access TCP 58975.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="圖片1.png" style="width: 698px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30121i1C632F437199BD38/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="圖片1.png" alt="圖片1.png" /></span></P><P>I checked traffic log and I found traffic be reset by interzone-default during 2/11 08:07:16 to 2/12 08:02:31</P><P>I already checked threat log and there is no log about drop or reset for this traffic.</P><P>And I checked configuration log and there is no change record.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="圖片2.png" style="width: 698px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30122i5171F623009A6E27/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="圖片2.png" alt="圖片2.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="圖片3.png" style="width: 698px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30123iE6607C18E115AD36/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="圖片3.png" alt="圖片3.png" /></span></P><P>&nbsp;</P><P>I have a clue, this PA-3020 update apps-content everyday at 8:00.</P><P>Traffic begin reset at&nbsp;2/11 08:07:16 that just update to&nbsp;8374-6528.</P><P>And after 24 hours traffic be allow at&nbsp;2/12 08:02:31 that also just update to 8375-6541.</P><P>But I'm not sure is it can cause this problem because I think the policy allow any application so it should be allow if traffic match L3 to L4 rule. And I'm not sure that always happen after apps-content update in&nbsp;the first few times.</P><P>&nbsp;</P><P>I have open a case but support says they need capture packets or they doesn't have&nbsp;enough data to analysis this issue.</P><P>That is problem because I can not reproduce this&nbsp;situation.</P><P>&nbsp;</P><P>PA-3020</P><P>PAN-OS :&nbsp;<SPAN>8.1.16</SPAN></P><P>&nbsp;</P> Tue, 02 Mar 2021 15:25:10 GMT neilwu 2021-03-02T15:25:10Z https://live.paloaltonetworks.com/t5/general-topics/why-traffic-log-shows-that-traffic-match-allow-policy-but-the/m-p/388605#M90522 <P>Does anyone have following experience and could give me some idea to fix this issue?</P><P>&nbsp;</P><P>Thanks a lot ~</P><P>&nbsp;</P><P>I found sometimes the traffic log shows that traffic match allow policy but the result was reset by default deny policy.</P><P>&nbsp;</P><P>For example:</P><P>&nbsp;</P><P>I have a policy for allow some users to access TCP 58975.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="圖片1.png" style="width: 698px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30121i1C632F437199BD38/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="圖片1.png" alt="圖片1.png" /></span></P><P>I checked traffic log and I found traffic be reset by interzone-default during 2/11 08:07:16 to 2/12 08:02:31</P><P>I already checked threat log and there is no log about drop or reset for this traffic.</P><P>And I checked configuration log and there is no change record.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="圖片2.png" style="width: 698px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30122i5171F623009A6E27/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="圖片2.png" alt="圖片2.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="圖片3.png" style="width: 698px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30123iE6607C18E115AD36/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="圖片3.png" alt="圖片3.png" /></span></P><P>&nbsp;</P><P>I have a clue, this PA-3020 update apps-content everyday at 8:00.</P><P>Traffic begin reset at&nbsp;2/11 08:07:16 that just update to&nbsp;8374-6528.</P><P>And after 24 hours traffic be allow at&nbsp;2/12 08:02:31 that also just update to 8375-6541.</P><P>But I'm not sure is it can cause this problem because I think the policy allow any application so it should be allow if traffic match L3 to L4 rule. And I'm not sure that always happen after apps-content update in&nbsp;the first few times.</P><P>&nbsp;</P><P>I have open a case but support says they need capture packets or they doesn't have&nbsp;enough data to analysis this issue.</P><P>That is problem because I can not reproduce this&nbsp;situation.</P><P>&nbsp;</P><P>PA-3020</P><P>PAN-OS :&nbsp;<SPAN>8.1.16</SPAN></P><P>&nbsp;</P> Tue, 02 Mar 2021 15:25:10 GMT https://live.paloaltonetworks.com/t5/general-topics/why-traffic-log-shows-that-traffic-match-allow-policy-but-the/m-p/388605#M90522 neilwu 2021-03-02T15:25:10Z https://live.paloaltonetworks.com/t5/general-topics/why-traffic-log-shows-that-traffic-match-allow-policy-but-the/m-p/389127#M90599 <P>This is interesting..&nbsp;&nbsp;</P> <P>I see what you mean in your rules, dropped for about 24 hours.. then allowed again.</P> <P>&nbsp;</P> <P>Questions:</P> <P>&nbsp;- Is this constant?&nbsp; or was this a one time event?&nbsp;</P> <P>&nbsp;- Have you seen this before?</P> <P>&nbsp;- It looks like you are just using Services and not apps? have you tried creating a custom app for this and allowing that application? Not sure that would matter.</P> <P>&nbsp;</P> Thu, 04 Mar 2021 16:30:53 GMT https://live.paloaltonetworks.com/t5/general-topics/why-traffic-log-shows-that-traffic-match-allow-policy-but-the/m-p/389127#M90599 jdelio 2021-03-04T16:30:53Z