Access rule is being used even though the destination server is not mentioned in the rule.

Reply
Highlighted
L1 Bithead

Access rule is being used even though the destination server is not mentioned in the rule.

Under traffic logs we are seeing communication is being allowed through an access rule which does not have a match for destination server. There is  security profile attached to the rule. Can someone please explain this behavior of PA.

Highlighted
L7 Applicator

Re: Access rule is being used even though the destination server is not mentioned in the rule.

Hello,

The PAN will match a policy and route traffic accordingly. My guess is that you have a more generic policy above the more specific one. If I am not understanding this correctly, would you be able to screen shot the policy and the traffic log?

 

Regards,

Highlighted
L1 Bithead

Re: Access rule is being used even though the destination server is not mentioned in the rule.

As i mentioned earlier, the destination is not in the rule still PA is allowing traffic using that rule.

Highlighted
L2 Linker

Re: Access rule is being used even though the destination server is not mentioned in the rule.

Hello @tejasmapuskar 

 

It looks like you have the issue as in this KB. Additionally, you can test which policy applies to your traffic. See this KB.

Highlighted
L1 Bithead

Re: Access rule is being used even though the destination server is not mentioned in the rule.

fw rule.PNG

fw log.PNG

Please see the attached files. This is a similar instance where the source zone is not defined in the rule still firewall is using the rule to allow the communication.

 

Highlighted
L2 Linker

Re: Access rule is being used even though the destination server is not mentioned in the rule.

I agree. It looks weird. But, there is some uncertanity (lack of information) that does not allow me to say that something wrong with firewall's behaviour.

Based on the 'Monitor' page screenshot it looks like you are using Panorama to check logs. Could you please connect to the device via CLI and run the appropriate test command to identify policy to which traffic matches?

Highlighted
L1 Bithead

Re: Access rule is being used even though the destination server is not mentioned in the rule.

The test security policy rule do not show the rule thats seen under the firewall logs. What does that mean? is this a cosmetic error.

Highlighted
L2 Linker

Re: Access rule is being used even though the destination server is not mentioned in the rule.

There is an additional explanation of such behaviour in this KB. But, the reason is the same, it is log's settings of the security policies.

 

In order to check if real data traffic matches to the expected security policy, I would identify the session ID in the log record (click on the 'magnifying glass' icon on the left side), then

1) connect to the firewall's CLI and run the command show session <session ID>

or

2) connect to the firewall's web UI, go to the Monitor > Session Browser (please note that you can open Session Browser in a firewall web UI only, not in Panorama), find the session with the same ID

3) check the policy name that this session matches.

 

If the policy name is correct, it will mean that you need to check one more time and make sure that log's settings of the security policies set as it is described in this KB.

 

Otherwise, I would suggest to open a support case in order to identify the reason of such behaviour.

 

Hope my answer would be helpful.

Highlighted
L1 Bithead

Re: Access rule is being used even though the destination server is not mentioned in the rule.

We have logging enabled at the session end.

Highlighted
L2 Linker

Re: Access rule is being used even though the destination server is not mentioned in the rule.

Hello @tejasmapuskar ,

 

If you are seeing the expected security policy name in the results of test command and in the Session Browser of the firewall and log settings set to 'at the session end', but you are still observing incorrect security policy name in the logs, it could be a software bug. I would propose to submit a case to the vendor support.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!