Under traffic logs we are seeing communication is being allowed through an access rule which does not have a match for destination server. There is security profile attached to the rule. Can someone please explain this behavior of PA.
The PAN will match a policy and route traffic accordingly. My guess is that you have a more generic policy above the more specific one. If I am not understanding this correctly, would you be able to screen shot the policy and the traffic log?
I agree. It looks weird. But, there is some uncertanity (lack of information) that does not allow me to say that something wrong with firewall's behaviour.
Based on the 'Monitor' page screenshot it looks like you are using Panorama to check logs. Could you please connect to the device via CLI and run the appropriate test command to identify policy to which traffic matches?
There is an additional explanation of such behaviour in this KB. But, the reason is the same, it is log's settings of the security policies.
In order to check if real data traffic matches to the expected security policy, I would identify the session ID in the log record (click on the 'magnifying glass' icon on the left side), then
1) connect to the firewall's CLI and run the command show session <session ID>
2) connect to the firewall's web UI, go to the Monitor > Session Browser (please note that you can open Session Browser in a firewall web UI only, not in Panorama), find the session with the same ID
3) check the policy name that this session matches.
If the policy name is correct, it will mean that you need to check one more time and make sure that log's settings of the security policies set as it is described in this KB.
Otherwise, I would suggest to open a support case in order to identify the reason of such behaviour.
Hope my answer would be helpful.
Hello @tejasmapuskar ,
If you are seeing the expected security policy name in the results of test command and in the Session Browser of the firewall and log settings set to 'at the session end', but you are still observing incorrect security policy name in the logs, it could be a software bug. I would propose to submit a case to the vendor support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!