DMZ server is not accessable by Global protect

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

DMZ server is not accessable by Global protect

Hello,

 

I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone

There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - ANY.
Application - ANY
services - ANY
Action - Allow
no security profile.

 

Policy(2):-

sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.

I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible in the traffic logs it is showing drop and there is no session ID.

PAN-OS version - 9.0.9-h1

Cyber Elite

@Jafar_Hussain,

I would kind of question why you wouldn't be using policy 2 to begin with, but that seems odd if correct. It's kind of hard to troubleshoot when someone types out an entry like this. Can you include a screenshot of the deny log and the two policies in question?

 

You can log into the CLI as well and test the security rulebase entry and make sure that the firewall at least does the policy lookup correctly as you supplied the command with the test security-policy-match command with your supplied criteria. 

Highlighted
L4 Transporter

@BPry 

Thanks for your reply.

Sorry for that i don't have a screenshot right now, i have given the example of IP's. i want to give the specific IP's in the destination. i can not give destination address - ANY.

Once i disable policy(1) it will bypass policy(2) and heat the deny policy which i have configured at last.

 

 

 

Highlighted
Cyber Elite

@Jafar_Hussain,

Without any other additional information it would appear that something in policy 2 isn't matching the traffic that you are actually seeing in your deny log. Without knowing exactly what has been configured or a copy of the deny log, I can't tell you what it could possibly be. The only thing I can tell you is that I haven't seen any issues in 9.0.9-h1 which would mimic this behavior and point towards a bug in the code.

 

I would really duplicate what you are seeing in the deny log and put it through the test command listed above and see if it matches the security rulebase entry as desired. 

Highlighted
L4 Transporter

@BPry 

Ok i will check this.

One more point i want to add. i took the packet capture with working and non-working condition.

I got a drop file from the GUI( I checked in Wireshark client is sending the SYN packet but after that didnt get any response from server side)  .in the non-working condition at the same time i ran the counter but didn't get any drops in CLI. below are the counter logs.

This behaviour i checked with policy(2).

 

(active)> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 25.181 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_alloc 15 0 info packet resource Packets allocated
pkt_inconsist 5 0 info packet pktproc Packet buffer pointer inconsistent
flow_policy_deny 5 0 drop flow session Session setup: denied by policy
flow_host_pkt_xmt 10 0 info flow mgmt Packets transmitted to control plane
flow_host_vardata_rate_limit_ok 10 0 info flow mgmt Host vardata not sent: rate limit ok
--------------------------------------------------------------------------------
Total counters shown: 5
--------------------------------------------------------------------------------

(active)>
(active)> show counter global filter packet-filter yes delta yes severity drop

Global counters:
Elapsed time since last sampling: 14.115 seconds

--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------

(active)> show counter global filter packet-filter yes delta yes severity drop

Global counters:
Elapsed time since last sampling: 3.963 seconds

--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------

Highlighted
L4 Transporter

I have tried all the possibility but still is not working.

Has anyone other solution for this.

Tags (1)
Highlighted
L4 Transporter

Resolution:- Once i create a object for that IP address and allow in security policy after that it is working fine.

 

But i am not able to find the root cause of this issue.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!