cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PA is Default Deny

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
choff123
L3 Networker
‎04-17-2013 10:09 AM
‎04-17-2013 10:09 AM

PA is Default Deny

Stupid question. Just need confirmation.

PA (42020) devices are default deny correct?

If a packet is not specifically allowed or denied by a rule; when it gets to the bottom of the rules the default action is to deny, correct?

thanks

--CH

Labels:
Tags (2)
0 Likes
Reply

Accepted Solutions
mikand
L6 Presenter
‎04-17-2013 10:11 AM
‎04-17-2013 10:11 AM

Yes its denied but not logged.

In order to get denied packets logged you need to manually put a security policy in the end that says:

srczone: any

dstzone: any

srcip: any

dstip: any

user: any

appid: any

service: any

options: log on session end

action: deny

View solution in original post

Reply

All Replies
mikand
L6 Presenter
‎04-17-2013 10:11 AM
‎04-17-2013 10:11 AM

Yes its denied but not logged.

In order to get denied packets logged you need to manually put a security policy in the end that says:

srczone: any

dstzone: any

srcip: any

dstip: any

user: any

appid: any

service: any

options: log on session end

action: deny

View solution in original post

Reply
Anon1
L4 Transporter
‎04-17-2013 01:09 PM
‎04-17-2013 01:09 PM

Hi,

just be careful with such an "deny all" rule since it will break intrazone traffic (traffic ingress and egress the same zone, this also includes e.g. ping to a data interface when enabled).

You can temporarily enable logging of the default deny rule on the CLI: set system setting logging default-policy-logging

0 Likes
Reply
Jermaine_Scott
L0 Member
‎10-31-2017 02:29 PM
‎10-31-2017 02:29 PM

With an intrazone rule created before it, is there a good reason (security purposes ot other) not to have the Deny All rule in place at the end? Or is it more of personal preference?

0 Likes
Reply
LukeBullimore
L5 Sessionator
‎11-03-2017 02:36 AM
‎11-03-2017 02:36 AM

Creating a Deny-All rule is bad practice, don't do it. If there is intrazone traffic (Trust to Trust for example) that has not been allowed by a previous rule, this will be denied because your Deny-All rule will be matching before the Intrazone-default rule.

 

You don't need to make a deny-all rule to see denied traffic, you can actually click the click the default intra/interzone-default rules, click "Override" next to the Clone button at the bottom to edit them, then you can enable the "Log at session end" options under the Action tab.

Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks