PA 5050 Shadow Rule Error

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA 5050 Shadow Rule Error

L1 Bithead

Hi all,

I am configuring PA 5050 and populationg the security policy rule base. While i am making ule bases , and during commit , i am geting the error message that the Rule3 (suppose rule 3 ) is shadowning Rule 4 in the sequence. I am getting this error repetidly while I am making policies, although there is no resemblence in any filed in Rule 3 and Rule 4. Please suggest if this is a normal behavier or i should do some configuration to avoiding this error message . Also my commit is getting sucessful and my configuration is getting saved , but this error pops up during the commit time.

Any suggestiona dn tips are highly appreciated.



L5 Sessionator


A shadow rule warning means that a more generic rule is configured above a more specific rule. Therefore, the generic rule is always hit and the more specific rule is never hit. Will packets flowing through the rulebase you have ever hit the rule that's being shadowed, or will they always hit the rule that is shadowing?

If you feel this isn't the case for you, maybe give us examples of what your rules look like so we can help.


L4 Transporter


Here is an explaination for Jason's Description with a possible Example:
If following is your security rule set,
Rule1:- Any traffic from zone "L3- Trust" to "L3-Untrust" for any source User , Allow web-browsing, ping and ssl

Rule2:- Any traffic from zone "L3- Trust" to "L3-Untrust" for specific source User( ; , Allow web-browsing, ping and ssl
Please see attachement Capture-security-rules.PNG

The above rules are actually valid rules and doesn't violate the configuration. However the firewall will warn that Rule 2 will never take effect even though it is configured since the policy parsing is from Top to Bottom and the top policy allows Any source user.

When we do a commit we see the shadow message and this is expected.Please see the attachement:- Capture-commit.PNG

If this is not the case and you are having issues with policy configuration, please open a support ticket.



Thanks for the reply. I uderstood the example which you presented , but my case is different in the sence that Rule1 and Rule 2 have no connection inbetween,meaning that Rule 1 and Rule 2 does not coinside in any case except I am allowing ftp application access for both the rules.

I the snapshot FTP server access rule shoadows forbes-FTP access rule , although there is no connection between the two rule . I am using different object groups for both sources and destination for the two rules.

Out of the blue my bet would be that the "ftp.forbes" object is part of one of the groups in the rule below (at the same time as the sourceip stuff is similar).

Perhaps you have used a cidr with to large mask by accident or such?

As a test (if possible), what if you disable the first rule - will the warning disappear and will the service still work (but now hitting rule4 in the traffic logs)?

  • 4 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!