PA 3020 - new security rule isn't active.

Reply
MPI-AE
L4 Transporter

PA 3020 - new security rule isn't active.

Hey all!

There is a strange problem with my PA 3020 7.1.7:

I need access from a client pc to a printer with many ports so for testing I set up a security rule with application any and service any.

The rule is enabled but it's not effective.

The firewall even doesn't have traffic logs for this connection.

 

I already had this problem in the past, I don't know anymore how I solved it.

 

Are there some things I can do?

 

Thank you!

TranceforLife
L6 Presenter

Hi,

 

Did you enable log in the new policy? Are you sure that the user's traffic is passing (or should pass) the firewall in order to reach the printer? For the test create any to any zone with the source ip of the test pc going to the destination ip of the printer. 

vsys_remo
Cyber Elite

@MPI-AE

In addition to @TranceforLife's question: if you log the traffic, do you have no logs for that rule or effectively for that connection (src and dst IP as filter)?

Or is the printer may be not responding (or wrong/no default gateway?) And you have a rule above your any-any-allow rule with an application with default ports "tcp/udp/dynamic", so all connections never hit your test-rule?

Raido
L7 Applicator

If pc sends traffic to printer but printer does not answer then Palo logs application as incomplete.

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

 

Does traffic pass firewall? Even if PC and printer are in different subnet there might be Layer3 switch routing traffic between internal subnets.

Does traffic match this test rule? I mean are source/destination zones correct etc?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
MPI-AE
L4 Transporter

Thanks for your answers!

 

I'm not sure what was the exact problem.

 

The connection is now working, but I didn't change anything.

 

That's very strange.

 

But thanks for your support, though!

BPry
Cyber Elite

@MPI-AE,

If I would have to guess you likely want to take a look at the below article. It sounds like you don't have session-rematch enabled and the session wasn't getting properly closed on the session table. 

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-Session-Rematch-Works/ta-p/60326

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!