DMZ server is not accessable by Global protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DMZ server is not accessable by Global protect

L4 Transporter

Hello,

 

I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone

There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - ANY.
Application - ANY
services - ANY
Action - Allow
no security profile.

 

Policy(2):-

sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.

I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible in the traffic logs it is showing drop and there is no session ID.

PAN-OS version - 9.0.9-h1

6 REPLIES 6

Cyber Elite
Cyber Elite

@Jafar_Hussain,

I would kind of question why you wouldn't be using policy 2 to begin with, but that seems odd if correct. It's kind of hard to troubleshoot when someone types out an entry like this. Can you include a screenshot of the deny log and the two policies in question?

 

You can log into the CLI as well and test the security rulebase entry and make sure that the firewall at least does the policy lookup correctly as you supplied the command with the test security-policy-match command with your supplied criteria. 

@BPry 

Thanks for your reply.

Sorry for that i don't have a screenshot right now, i have given the example of IP's. i want to give the specific IP's in the destination. i can not give destination address - ANY.

Once i disable policy(1) it will bypass policy(2) and heat the deny policy which i have configured at last.

 

 

 

@Jafar_Hussain,

Without any other additional information it would appear that something in policy 2 isn't matching the traffic that you are actually seeing in your deny log. Without knowing exactly what has been configured or a copy of the deny log, I can't tell you what it could possibly be. The only thing I can tell you is that I haven't seen any issues in 9.0.9-h1 which would mimic this behavior and point towards a bug in the code.

 

I would really duplicate what you are seeing in the deny log and put it through the test command listed above and see if it matches the security rulebase entry as desired. 

@BPry 

Ok i will check this.

One more point i want to add. i took the packet capture with working and non-working condition.

I got a drop file from the GUI( I checked in Wireshark client is sending the SYN packet but after that didnt get any response from server side)  .in the non-working condition at the same time i ran the counter but didn't get any drops in CLI. below are the counter logs.

This behaviour i checked with policy(2).

 

(active)> show counter global filter packet-filter yes delta yes

Global counters:
Elapsed time since last sampling: 25.181 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_alloc 15 0 info packet resource Packets allocated
pkt_inconsist 5 0 info packet pktproc Packet buffer pointer inconsistent
flow_policy_deny 5 0 drop flow session Session setup: denied by policy
flow_host_pkt_xmt 10 0 info flow mgmt Packets transmitted to control plane
flow_host_vardata_rate_limit_ok 10 0 info flow mgmt Host vardata not sent: rate limit ok
--------------------------------------------------------------------------------
Total counters shown: 5
--------------------------------------------------------------------------------

(active)>
(active)> show counter global filter packet-filter yes delta yes severity drop

Global counters:
Elapsed time since last sampling: 14.115 seconds

--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------

(active)> show counter global filter packet-filter yes delta yes severity drop

Global counters:
Elapsed time since last sampling: 3.963 seconds

--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------

I have tried all the possibility but still is not working.

Has anyone other solution for this.

Resolution:- Once i create a object for that IP address and allow in security policy after that it is working fine.

 

But i am not able to find the root cause of this issue.

  • 3633 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!