Inconsistent policy action on the same traffic flow

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Inconsistent policy action on the same traffic flow

L1 Bithead

Hello,

 

I do have a connection flow for Microsoft Teams direct routing domain sip-all.pstnhub.microsoft.com where I do have a NAT rule and a security rules for bidirectional traffic with the Microsoft domain from our DMZ. The issue is that the firewall sometimes allows the traffic from one of the IP addresses that it resolves to (e.g. 52.114.76.76), and other times like a min or two after for the same IP address, for the same exact flow (src and dst Zone, interface, IP address, port etc) it is denied with application (not-applicable). Taking a live packet capture shows the exact behavior that traffic was just policy denied.

I would really appreciate if someone please let me know if anyone had experienced this issue before.

1 accepted solution

Accepted Solutions

Hi @bambox ,

I am suspecting that the problem is related to the fact that you are using FQDN object.

If you take a closer look to the FQDN you will notice that the it is resolving to multiple IP addresses, but each entry has TTL of 30 seconds., Which means every 30sec FQDN will resolve to different IP addresses.

When you configure FQDN address object, firewall will resolve it (using its DNS configured in device settings) and cache the reply for 30 minutes.

 

Firewall will refresh this cache every 30mins, but as FQDN TTL is 30 seconds, it is very possible that endpoint and firewall to use different list of IPs for that FQDN.

 

I would suggest to to replace the FQDN with static network address of 52.120.0.0/14 and monitor if you experience similar drops.

View solution in original post

3 REPLIES 3

L2 Linker

Hi Bambox,

 

Can you please explain the situation in a bit more detail?

 

are you saying that you have already rule configured to access Microsoft teams from your DMZ to INTERNET? are you configuring the rule with the application ID or based on the IP?

if your receiving "Not Applicable" in your traffic logs, then you need to reverify the placement of your security rule, maybe move the rule to the top of the list and check.

 

as per the Palo alto document Not-applicable means

that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.
For example, if there was only one rule on the Palo Alto device and that rule allowed the application of web-browsing only on port/service 80, and traffic (web-browsing or any other application) is sent to the Palo Alto device on any other port/service besides 80, then the traffic is discarded or dropped and you'll see sessions with "not-applicable" in the application field.

 

Regards

Basavaraj

 

Hi @bambox ,

I am suspecting that the problem is related to the fact that you are using FQDN object.

If you take a closer look to the FQDN you will notice that the it is resolving to multiple IP addresses, but each entry has TTL of 30 seconds., Which means every 30sec FQDN will resolve to different IP addresses.

When you configure FQDN address object, firewall will resolve it (using its DNS configured in device settings) and cache the reply for 30 minutes.

 

Firewall will refresh this cache every 30mins, but as FQDN TTL is 30 seconds, it is very possible that endpoint and firewall to use different list of IPs for that FQDN.

 

I would suggest to to replace the FQDN with static network address of 52.120.0.0/14 and monitor if you experience similar drops.

That was it, thank you so much for your help!

  • 1 accepted solution
  • 2450 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!