LIVEcommunity - Re: Unexpected behaviour in security policy

Jafar_Hussain · ‎07-27-2020

I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone

There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - Create an address object for 2.2.2.2.
Application - ANY
services - ANY
Action - Allow
no security profile.

Policy(2):-

sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.

I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible why this strange behaviour i am not able to find out.

once i applied policy -2 the traffic has been dropped.

PAN-OS version - 9.0.9-h1

OtakarKlier · ‎07-27-2020

Hello,

I would say make sure you have logging enabled on the policy and check the logs to see why the PAN is denying the traffic.

Regards,

Jafar_Hussain · ‎07-28-2020

@OtakarKlier

Yes , i have checked the same , once i applied policy-1 it will bypass all the policy and heat directly to deny any-any.

And i can see the traffic is dropped.

OtakarKlier · ‎07-28-2020

Hello,

This is definitely interesting. I would suggest opening a support case and see what they can find.

Regards,

MP18 · ‎07-28-2020

@Jafar_Hussain

I will say check the objects, addresses then look for source and destination address.

Make sure under IP netmask it is 1.1.1.1

or 2.2.2.2

Regards

MP

Help the community: Like helpful comments and mark solutions.

Jafar_Hussain · ‎07-28-2020

@MP18

Thanks for your reply, my concern is why the firewall deny traffic once i configure the security policy-1 and given the IP address in destination, however, once i created the object for the same IP address and allow in destination all are working fine.

This issue is occurring only for one IP address rest are working fine.

I am not able to find out the reason.