Zone Protection Counters Displayed in Wrong Section of Output for show zone-protection zone""

Issue

When the CLI command was issued to see counters for zone protection results for asymmetric-path display under IPv6 filter, the 'tcp-reject-non-syn' and 'asymmetric-path' counters appear under IPv6. However, they are related to Layer4 and should be displayed under the general IPv(4/6) filter.

> show zone-protection zone <zone-name>

-------------------------------------------------------------------------------

IPv(4/6) filter:

  discard-ip-spoof:                enabled: no

  discard-ip-frag:                 enabled: no

IPv4 packet filter:

  discard-icmp-ping-zero-id:       enabled: no

  discard-icmp-frag:               enabled: no

  discard-icmp-large-packet:       enabled: no

  discard-icmp-error:              enabled: no

  suppress-icmp-timeexceeded:      enabled: no

  suppress-icmp-needfrag:          enabled: no

  discard-strict-source-routing:   enabled: no

  discard-loose-source-routing:    enabled: no

  discard-timestamp:               enabled: no

  discard-record-route:            enabled: no

  discard-security:                enabled: no

  discard-stream-id:               enabled: no

  discard-unknown-option:          enabled: no

  discard-malformed-option:        enabled: no

  discard-overlapping-tcp-segment-mismatch: enabled: no

IPv6 filter:

  routing-header:                  enabled: yes, packets dropped: 0

  ipv4-compatible-address:         enabled: no

  anycast-source:                  enabled: no

  options-invalid-ipv6-discard:    enabled: no

  icmpv6-too-big-small-mtu-discard: enabled: no

  needless-fragment-hdr:           enabled: no

  reserved-field-set-discard:      enabled: no

  hop-by-hop-hdr:                  enabled: no

  routing-hdr:                     enabled: no

  dest-option-hdr:                 enabled: no

  tcp-reject-non-syn:              enabled: yes (global), packets dropped: 11023

  asymmetric-path:                 enabled: no (global)

  redirect:                        enabled: no

  dest-unreach:                    enabled: no

  pkt-too-big:                     enabled: no

  time-exceeded:                   enabled: no

  param-problem:                   enabled: no

Resolution

The issue is resolved in PAN-OS 6.0, where the "tcp-reject-non-syn" and "asymmetric-path" counters are seen under IPv(4/6) filter, as shown in the example below:

> show zone-protection zone <zone-name>

-------------------------------------------------------------------------------

IPv(4/6) Filter:

  discard-ip-spoof:                         enabled: no

  discard-ip-frag:                          enabled: no

  tcp-reject-non-syn:                       enabled: yes, (global), packet dropped: 0

  asymmetric-path:                          enabled: no  (global)

IPv4 packet filter:

<output truncated for brevity...>

See Also

Issue 51955 in PAN-OS 6.0: Addressed Issues

owner: hyadavalli