What is a Shadow Rule?

What is a Shadow Rule?

84354
Created On 09/25/18 19:20 PM - Last Modified 06/08/23 02:50 AM


Resolution


When committing a configuration, a warning may appear that one rule "shadows" another rule.

Rule 'rule1' shadows 'rule2'

Configuration committed successfully

 

A shadow rule warning generally indicates a more broad rule matching the criteria is configured above a more specific rule.

 

See this example:

1.png

 

No traffic will ever match the second rule, which specifically allows web-browsing, because all applications have already been allowed by the first rule.

 

The shadow rule can also appear if there are unresolved FQDNs. If FQDN objects are configured make sure they are resolved from CLI by using this command:

>request system fqdn show

 

See Also

Unresolved FQDNs in Security Policy Result in Shadow Policy Warning During Commit

 

owner: ukhapre
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVXCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language