- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-09-2020 02:27 PM
Under traffic logs we are seeing communication is being allowed through an access rule which does not have a match for destination server. There is security profile attached to the rule. Can someone please explain this behavior of PA.
04-09-2020 02:31 PM
Hello,
The PAN will match a policy and route traffic accordingly. My guess is that you have a more generic policy above the more specific one. If I am not understanding this correctly, would you be able to screen shot the policy and the traffic log?
Regards,
04-09-2020 02:35 PM
As i mentioned earlier, the destination is not in the rule still PA is allowing traffic using that rule.
04-09-2020 07:35 PM - edited 04-09-2020 07:39 PM
Hello @tejasmapuskar
It looks like you have the issue as in this KB. Additionally, you can test which policy applies to your traffic. See this KB.
04-10-2020 12:53 PM
Please see the attached files. This is a similar instance where the source zone is not defined in the rule still firewall is using the rule to allow the communication.
04-10-2020 01:30 PM
I agree. It looks weird. But, there is some uncertanity (lack of information) that does not allow me to say that something wrong with firewall's behaviour.
Based on the 'Monitor' page screenshot it looks like you are using Panorama to check logs. Could you please connect to the device via CLI and run the appropriate test command to identify policy to which traffic matches?
04-10-2020 02:22 PM
The test security policy rule do not show the rule thats seen under the firewall logs. What does that mean? is this a cosmetic error.
04-10-2020 03:48 PM - edited 04-10-2020 03:49 PM
There is an additional explanation of such behaviour in this KB. But, the reason is the same, it is log's settings of the security policies.
In order to check if real data traffic matches to the expected security policy, I would identify the session ID in the log record (click on the 'magnifying glass' icon on the left side), then
1) connect to the firewall's CLI and run the command show session <session ID>
or
2) connect to the firewall's web UI, go to the Monitor > Session Browser (please note that you can open Session Browser in a firewall web UI only, not in Panorama), find the session with the same ID
3) check the policy name that this session matches.
If the policy name is correct, it will mean that you need to check one more time and make sure that log's settings of the security policies set as it is described in this KB.
Otherwise, I would suggest to open a support case in order to identify the reason of such behaviour.
Hope my answer would be helpful.
04-12-2020 07:02 PM
We have logging enabled at the session end.
04-13-2020 05:31 AM
Hello @tejasmapuskar ,
If you are seeing the expected security policy name in the results of test command and in the Session Browser of the firewall and log settings set to 'at the session end', but you are still observing incorrect security policy name in the logs, it could be a software bug. I would propose to submit a case to the vendor support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!