Rules with schedules failing intermittantly

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Rules with schedules failing intermittantly

L4 Transporter

I recently upgraded to OS 7.1.15 on my PA 5050, I have two rules with schedules on them and have had for over a year.  In the traffic logs it was showing the traffic going back and forth between denying and allowing the traffic.  When I removed the schedules they worked with no issues. Any ideas what could be going on?

10 REPLIES 10

Cyber Elite
Cyber Elite

what does the policy look like and how is the schedule set? are you seeing both allow AND deny happening on the same rule?

 

the behavior for an allow rule, with a schedule 9am-11am should be:

  • connection at 8:50 is processed by a rule below the one with schedule, blocked/allowed by a different rule
  • connection at 9:01 is allowed by rule
  • (new) connection at 11:01 is processed by a rule below the schedule one, existing session that was allowed by policy is still active and will be left to live it's life (unless action is taken to terminate the session)

 

the behavior for a deny rule, with a schedule 9am-11am should be:

 

  • connection at 8:50 is processed by a rule below the one with schedule, blocked/allowed by a different rule
  • connection at 9:01 is blocked by rule
  • (new) connection at 11:01 is processed by a rule below the schedule one, here is a bit of a caveat: if appID is let to create a session before hitting the block rule (eg your block rule is built with applications rather than ports, a session first needs to be created before being able to block based on the app) an existing 'discard phase' session could still be blocking packets matching the tuples after the schedule ends (this is measured in seconds to a few minutes, usually)

so if you could provide a little more detail, that would be helpful 🙂

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

Yes I am seeing both allow and deny on the same rule within seconds.  Its been working consistently for over a year until this week. I upgraded the PA to 7.1.15 from 7.1.13 a week ago. I also reset the regions around the same time. This was allowing our student access to certain server/application from a specific wireless IP range to a specific IP. the rules are built with applications not ports, we took off several things(put them back if it didn't fix it) before we found that removing the schedule fixed it

Here is the schedule information:

 

schedule.PNG

 

 

hm... that's not supposed to happen...

 

the schedule should make the rules 'invisible' outside of the schedule so they get passed by when the 'decission making process' happens, not reverse the action ...

 

have you reached out to support on this already? If not I'd do that asap 😕

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

 

here is a sample of the traffice and is bouncing betweening allowing and dropping the traffic with in minutes. It is being denied by the clean up rule and goes off and on through the rule designed to allow the traffic

traffic.PNG

hi @jdprovine

 

ok, that looks more normal than I first expected 🙂

would you mind adding the rest of the log in there to get a more complete view? (feel free to obfuscate sensitive data ofcourse)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

I feel like a politician redacting classified information this isn't pretty but here it is

 

traffic.PNG

@jdprovine

Ok, that does look pretty weird

I fear you will need to have a little chat with support about this

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

 

Yup I opened a case with TAC yesterday and am collecting information for them now. I do have a lot of issues that seem to fall outside of the norm

@reaper

 

Forgot to say is it weird cause of the way I redacted it or how it is behaving LOL 😛

@jdprovine haha! Because of the behavior, I won't comment on your 'paint' skillz 😉
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2880 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!