Shadow Rule Warning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Shadow Rule Warning

L2 Linker

Hi,

 

Recently I upgrades my firewall from PANOS 8.0.10 to 8.0.17.  The upgrade went fine.  However, after making a small configuration change (adding a new address object), my commit showed a Shadow Rule warning.  

 

The warning is associated with a rule that I have that is designed to Deny traffic from ANY zone and ANY application whose destination is the outsize (untrusted) zone with a desitnation address that is identified by Palo's External Dynamic lists "PaloAlto Networks High Risk Addresses" and "PaloAlto Known Malicious IP Addresses"

 

This rule  "Block Malicious Sites" is the first security rule that is defined.  The warning indicates this rule shadoes anothe rule that is listed further down in my list that allows specific traffic (NTP application) to the outside.

 

While I can move the "Block Malicious Site" rule further down the list, I can't comprehend why it would be considered shadowing.  It seems to me the rule targets specific address, essentially those identified in the dynamic list.  If it truly were shadowing, I would have thought I would have seen this warning prior to my upgrades from 8.0.10 to 8.0.17.  It seems to me that something has changed in the way the firewall evaluated the rules.

 

Has anyone else seen this behavior or have any ideas on what might be happening?  

I appreciate any input.

 

Thanks,

 

1 accepted solution

Accepted Solutions

Thanks for the help @SCantwell_IM

 

I first tried to just change the Source Zones from Any to the specific zones I wanted to use. as you suggested.  This didn't seem to help.  I still received a warning indicating it was shadowing.  I then went ahead and added as a source address the regions (based on my address schemes) of 10.0.0.0 - 10.255.255.255 and 192.168.0.0-192.168.255.255.

 

Upon making this change, the validation of the commit worked fine and I was able to sucessfully commit the configuration.

 

 

View solution in original post

4 REPLIES 4

L4 Transporter

Post a screenshot of the two rules, and (if possible) the full text of the error message.

Cyber Elite
Cyber Elite

Rule shadowing is always because a more general rule is above more specific rule below it (as you are aware)

 

Not knowing how many Source Zones you have... my recommendation is list all of the them in the source zone field vs using ANY.

 

You could also do ANY source zone (but then put in the 3 internal unrouteable address 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)

Just need to modify the rule so it does not cause the shadowing.

Help the community: Like helpful comments and mark solutions

Thanks for the help @SCantwell_IM

 

I first tried to just change the Source Zones from Any to the specific zones I wanted to use. as you suggested.  This didn't seem to help.  I still received a warning indicating it was shadowing.  I then went ahead and added as a source address the regions (based on my address schemes) of 10.0.0.0 - 10.255.255.255 and 192.168.0.0-192.168.255.255.

 

Upon making this change, the validation of the commit worked fine and I was able to sucessfully commit the configuration.

 

 

L2 Linker

Are you sure this is the right solution?

 

Check difference in results between Validate and Commit actions:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNvNCAW

 

This was the solution for me.

  • 1 accepted solution
  • 7697 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!