- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-20-2020 01:03 PM
Hello,
I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone
There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - ANY.
Application - ANY
services - ANY
Action - Allow
no security profile.
Policy(2):-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.
I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible in the traffic logs it is showing drop and there is no session ID.
PAN-OS version - 9.0.9-h1
07-20-2020 01:10 PM
I would kind of question why you wouldn't be using policy 2 to begin with, but that seems odd if correct. It's kind of hard to troubleshoot when someone types out an entry like this. Can you include a screenshot of the deny log and the two policies in question?
You can log into the CLI as well and test the security rulebase entry and make sure that the firewall at least does the policy lookup correctly as you supplied the command with the test security-policy-match command with your supplied criteria.
07-20-2020 01:25 PM
Thanks for your reply.
Sorry for that i don't have a screenshot right now, i have given the example of IP's. i want to give the specific IP's in the destination. i can not give destination address - ANY.
Once i disable policy(1) it will bypass policy(2) and heat the deny policy which i have configured at last.
07-20-2020 01:29 PM
Without any other additional information it would appear that something in policy 2 isn't matching the traffic that you are actually seeing in your deny log. Without knowing exactly what has been configured or a copy of the deny log, I can't tell you what it could possibly be. The only thing I can tell you is that I haven't seen any issues in 9.0.9-h1 which would mimic this behavior and point towards a bug in the code.
I would really duplicate what you are seeing in the deny log and put it through the test command listed above and see if it matches the security rulebase entry as desired.
07-20-2020 01:41 PM
Ok i will check this.
One more point i want to add. i took the packet capture with working and non-working condition.
I got a drop file from the GUI( I checked in Wireshark client is sending the SYN packet but after that didnt get any response from server side) .in the non-working condition at the same time i ran the counter but didn't get any drops in CLI. below are the counter logs.
This behaviour i checked with policy(2).
(active)> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 25.181 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_alloc 15 0 info packet resource Packets allocated
pkt_inconsist 5 0 info packet pktproc Packet buffer pointer inconsistent
flow_policy_deny 5 0 drop flow session Session setup: denied by policy
flow_host_pkt_xmt 10 0 info flow mgmt Packets transmitted to control plane
flow_host_vardata_rate_limit_ok 10 0 info flow mgmt Host vardata not sent: rate limit ok
--------------------------------------------------------------------------------
Total counters shown: 5
--------------------------------------------------------------------------------
(active)>
(active)> show counter global filter packet-filter yes delta yes severity drop
Global counters:
Elapsed time since last sampling: 14.115 seconds
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
(active)> show counter global filter packet-filter yes delta yes severity drop
Global counters:
Elapsed time since last sampling: 3.963 seconds
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
07-25-2020 11:08 AM
Resolution:- Once i create a object for that IP address and allow in security policy after that it is working fine.
But i am not able to find the root cause of this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!