PA 3020 - new security rule isn't active.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA 3020 - new security rule isn't active.

L4 Transporter

Hey all!

There is a strange problem with my PA 3020 7.1.7:

I need access from a client pc to a printer with many ports so for testing I set up a security rule with application any and service any.

The rule is enabled but it's not effective.

The firewall even doesn't have traffic logs for this connection.

 

I already had this problem in the past, I don't know anymore how I solved it.

 

Are there some things I can do?

 

Thank you!

5 REPLIES 5

L6 Presenter

Hi,

 

Did you enable log in the new policy? Are you sure that the user's traffic is passing (or should pass) the firewall in order to reach the printer? For the test create any to any zone with the source ip of the test pc going to the destination ip of the printer. 

L7 Applicator

@MPI-AE

In addition to @TranceforLife's question: if you log the traffic, do you have no logs for that rule or effectively for that connection (src and dst IP as filter)?

Or is the printer may be not responding (or wrong/no default gateway?) And you have a rule above your any-any-allow rule with an application with default ports "tcp/udp/dynamic", so all connections never hit your test-rule?

If pc sends traffic to printer but printer does not answer then Palo logs application as incomplete.

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

 

Does traffic pass firewall? Even if PC and printer are in different subnet there might be Layer3 switch routing traffic between internal subnets.

Does traffic match this test rule? I mean are source/destination zones correct etc?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks for your answers!

 

I'm not sure what was the exact problem.

 

The connection is now working, but I didn't change anything.

 

That's very strange.

 

But thanks for your support, though!

@MPI-AE,

If I would have to guess you likely want to take a look at the below article. It sounds like you don't have session-rematch enabled and the session wasn't getting properly closed on the session table. 

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-Session-Rematch-Works/ta-p/60326

  • 2090 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!