Recently I upgrades my firewall from PANOS 8.0.10 to 8.0.17. The upgrade went fine. However, after making a small configuration change (adding a new address object), my commit showed a Shadow Rule warning.
The warning is associated with a rule that I have that is designed to Deny traffic from ANY zone and ANY application whose destination is the outsize (untrusted) zone with a desitnation address that is identified by Palo's External Dynamic lists "PaloAlto Networks High Risk Addresses" and "PaloAlto Known Malicious IP Addresses"
This rule "Block Malicious Sites" is the first security rule that is defined. The warning indicates this rule shadoes anothe rule that is listed further down in my list that allows specific traffic (NTP application) to the outside.
While I can move the "Block Malicious Site" rule further down the list, I can't comprehend why it would be considered shadowing. It seems to me the rule targets specific address, essentially those identified in the dynamic list. If it truly were shadowing, I would have thought I would have seen this warning prior to my upgrades from 8.0.10 to 8.0.17. It seems to me that something has changed in the way the firewall evaluated the rules.
Has anyone else seen this behavior or have any ideas on what might be happening?
I appreciate any input.
Solved! Go to Solution.
Rule shadowing is always because a more general rule is above more specific rule below it (as you are aware)
Not knowing how many Source Zones you have... my recommendation is list all of the them in the source zone field vs using ANY.
You could also do ANY source zone (but then put in the 3 internal unrouteable address 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)
Just need to modify the rule so it does not cause the shadowing.
Thanks for the help @SteveCantwell
I first tried to just change the Source Zones from Any to the specific zones I wanted to use. as you suggested. This didn't seem to help. I still received a warning indicating it was shadowing. I then went ahead and added as a source address the regions (based on my address schemes) of 10.0.0.0 - 10.255.255.255 and 192.168.0.0-192.168.255.255.
Upon making this change, the validation of the commit worked fine and I was able to sucessfully commit the configuration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!