https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409754#M92492 <P>Tired the &lt;commit force&gt; still the problem is same.</P> Fri, 28 May 2021 02:40:42 GMT AmardeepSuri 2021-05-28T02:40:42Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409435#M92447 <P>We recently upgraded the Palo Alto version to 9.1.7 on our physical hardware 3200 series. After 02 days we notice that before upgrade all policy rules and NAT works fine. However, The NAT and policy which we created after the upgrade not working. Not traffic or hit shows in monitoring.&nbsp;</P><P>&nbsp;</P><P>We rebooted the PA once still is not fixed. Is it a bug in the current version.&nbsp;</P> Thu, 27 May 2021 07:35:02 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409435#M92447 AmardeepSuri 2021-05-27T07:35:02Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409457#M92450 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/182926">@AmardeepSuri</a> ,</P> <P>&nbsp;</P> <P>There's not a lot of info in your post to help you on your way.&nbsp;</P> <P>Is traffic reaching your firewall correctly ? Is it dropped before actually getting logged (check drop counters) ?</P> <P>&nbsp;</P> <P>I'm not aware of a bug describing your issue.</P> <P>While PAN-OS 9.1.7 seems fine, know that 9.1.8 is the recommended release at the time of this writing.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 27 May 2021 08:40:29 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409457#M92450 kiwi 2021-05-27T08:40:29Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409467#M92453 <P>Hi, Thanks,</P><P>&nbsp;</P><P>Yes, I observed packet drop increasing frequently.&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-05-27 142446.jpg" style="width: 659px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34106i8712C7AC4618E40C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot 2021-05-27 142446.jpg" alt="Screenshot 2021-05-27 142446.jpg" /></span></P> Thu, 27 May 2021 08:55:58 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409467#M92453 AmardeepSuri 2021-05-27T08:55:58Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409504#M92455 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/182926">@AmardeepSuri</a> ,</P> <P>&nbsp;</P> <P>Please make sure that the traffic you're investigating is actually reaching your firewall correctly (on the correct interface, etc...).&nbsp; You can confirm this with packet captures (<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0</A>).</P> <P>&nbsp;</P> <P>Once you've confirmed that, create a packet filter based on the traffic you're investigating and check the global counter for specific drop counters.&nbsp; If there are any then it's likely they'll give you an indication of why it's being dropped.</P> <P>Check out the following KB on how to check for global counters.&nbsp; There's even a use-case example that shows you how to check the drop counters specifically:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS</A></P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <P>&nbsp;</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 27 May 2021 09:51:01 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409504#M92455 kiwi 2021-05-27T09:51:01Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409557#M92464 <P>Thanks!,</P><P>&nbsp;</P><P>I tried packet capture earlier also using all 4 capturing options (drop, receive, transmit, and firewall ). and I enabled pre-match also. But that only showing me drop packet with only mac information no matching IP defined in filters.</P> Thu, 27 May 2021 11:14:44 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409557#M92464 AmardeepSuri 2021-05-27T11:14:44Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409560#M92466 <P>hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/182926">@AmardeepSuri</a>&nbsp;</P><P>packets dropped on the interface may not reach the dataplane (where packetcaptures are performed)&nbsp;</P><P>&nbsp;</P><P>disabling pre-parse will effectively cancel out filters as packets are captured before they are parsed (to filter). The drop packets you are seeing may be the mac frames you see in drop stage, are they 'normal' (no malformation?)</P><P>&nbsp;</P><P>you may be distracted from your original issue:</P><P>&nbsp;</P><P>since NAT does not appear to work, did you make sure the new NAT rules are in the proper order for them to match? rules are evaluated top to bottom with the first positive match being used. this could mean rules further down the rulebase are not hit as a preceding rule is too generic and you will need to reorder your rules</P><P>&nbsp;</P><P>you can check if your rules exist on the dataplane by using the following command:</P><P>&nbsp;</P><P>show running nat-rules</P><P>&nbsp;</P><P>then see if the new rules exist or not</P> Thu, 27 May 2021 11:37:07 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409560#M92466 reaper 2021-05-27T11:37:07Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409673#M92476 <P>Thanks, Reaper.</P><P>&nbsp;</P><P>As you suggested the checked the newly created NAT rule. However, I found that in the NAT rules list.&nbsp;</P><P>The command you shared not worked. But I tried with &lt;show running nat-rule-ippool rule "Bi-Nat Rule 12-1"&gt;</P><P>&nbsp;</P><P>Also, I would like to update not only the newly created NAT is not working. even an existing policy that allowing traffic from a specific source also not working when we added a new source in that.&nbsp;</P><P>&nbsp;</P> Thu, 27 May 2021 17:29:52 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409673#M92476 AmardeepSuri 2021-05-27T17:29:52Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409707#M92482 <P>In some cases saving a snapshot of the config, a fast factory default reset and again loading the config resolves such issues. If your firewall i in HA this is a thing that the TAC does many times</P><P>&nbsp;</P><P>&nbsp;</P><P>Before that check for commit errors:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG</A></P> Thu, 27 May 2021 19:41:49 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409707#M92482 nikoolayy1 2021-05-27T19:41:49Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409709#M92484 <P>Apologies, the correct command is&nbsp;</P><P>Show running nat-policy</P><P>&nbsp;</P><P>Try the following:</P><P>&gt; Configure</P><P># commit force</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 May 2021 19:50:51 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409709#M92484 reaper 2021-05-27T19:50:51Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409754#M92492 <P>Tired the &lt;commit force&gt; still the problem is same.</P> Fri, 28 May 2021 02:40:42 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-stopped-taking-new-policy-traffic/m-p/409754#M92492 AmardeepSuri 2021-05-28T02:40:42Z