- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
Default interzone deny rule showing Allow traffic logs.
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Default interzone deny rule showing Allow traffic logs.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Default interzone deny rule showing Allow traffic logs.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-13-2021 12:20 AM
Default inter zone deny rule showing Allow traffic logs.
There are expected deny logs but some requests are getting allowed by hitting default interzone deny rule.
Very Strange behavior and we have already verified the Rule and its actions, it is configured to deny traffic from any to any.
Please share if any thoughts on this....
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-13-2021 03:07 PM
So first things first, I would verify that they don't have any changes to commit (IE: Did someone modify the interzone-default back from allow and forget to commit). If that isn't the case when it comes to extremely weird cases that shouldn't be happening, I would schedule a time to restart the box and see if the issue persists after a reload.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-14-2021 01:01 AM
is there an application associated to the traffic?
it could be that the initial SYN packet is being allowed because its source/dest and port are allowed, but then the session turns into an application for which no rule exists, it will then be passed on to the default deny rule to discard (after the session had already been allowed which could explain the 'allow' entry)
Like my answer? check out my book! https://bit.ly/MasteringPAN
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-15-2021 11:46 PM
We have already rebooted the device and still allowed logs are generating randomly
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-15-2021 11:58 PM
yes the traffic is identifying applications, and the scenario is most of the same pattern of traffic is denying as expected and only few of them are showing allowed and why it is happening only for this particular HA pair.
Even TAC guys are also not able to provide a clear explanation for this behavior.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-17-2021 03:21 PM
- could you maybe provide some screenshots?
- have you been able to perform packet captures or run global counters
- for the sessions where an application is present, what is displayed if you look up the session ID and then do 'show session id xxxx' from the cli (could you clean that up and paste it here)
- are the applications, matched to the dropped sessions' source/destination, allowed elsewhere in the rule set (i asked that in my last comment)
please look up 2 things: 1) is the source/dest/port allowed somewhere 2)is the source/dest/port/app allowed somewhere
Like my answer? check out my book! https://bit.ly/MasteringPAN
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-19-2021 04:59 PM
Thank you.This is almost confirmed that we are experiencing same behavior mentioned in the below KB link
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrUCAS
- PA-5050-Data plane showing high in General Topics
- PA 9.1.4 to zabbix snmp integration only showing mgmt interface data in General Topics
- Source ip region/country showing incorrect on PA firewall in General Topics
- Searching for missing logs in Next Gen Firewall monitor log. in General Topics
- My paloalto firewall isn't picking up any traffic or showing any sessions. in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
