Palo Alto Stopped taking New Policy Traffic.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Stopped taking New Policy Traffic.

L1 Bithead

We recently upgraded the Palo Alto version to 9.1.7 on our physical hardware 3200 series. After 02 days we notice that before upgrade all policy rules and NAT works fine. However, The NAT and policy which we created after the upgrade not working. Not traffic or hit shows in monitoring. 

 

We rebooted the PA once still is not fixed. Is it a bug in the current version. 

Amar
9 REPLIES 9

Community Team Member

Hi @AmardeepSuri ,

 

There's not a lot of info in your post to help you on your way. 

Is traffic reaching your firewall correctly ? Is it dropped before actually getting logged (check drop counters) ?

 

I'm not aware of a bug describing your issue.

While PAN-OS 9.1.7 seems fine, know that 9.1.8 is the recommended release at the time of this writing.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi, Thanks,

 

Yes, I observed packet drop increasing frequently. Screenshot 2021-05-27 142446.jpg

Amar

Community Team Member

Hi @AmardeepSuri ,

 

Please make sure that the traffic you're investigating is actually reaching your firewall correctly (on the correct interface, etc...).  You can confirm this with packet captures (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0).

 

Once you've confirmed that, create a packet filter based on the traffic you're investigating and check the global counter for specific drop counters.  If there are any then it's likely they'll give you an indication of why it's being dropped.

Check out the following KB on how to check for global counters.  There's even a use-case example that shows you how to check the drop counters specifically:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

 

Cheers !

-Kiwi.

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks!,

 

I tried packet capture earlier also using all 4 capturing options (drop, receive, transmit, and firewall ). and I enabled pre-match also. But that only showing me drop packet with only mac information no matching IP defined in filters.

Amar

Cyber Elite
Cyber Elite

hi @AmardeepSuri 

packets dropped on the interface may not reach the dataplane (where packetcaptures are performed) 

 

disabling pre-parse will effectively cancel out filters as packets are captured before they are parsed (to filter). The drop packets you are seeing may be the mac frames you see in drop stage, are they 'normal' (no malformation?)

 

you may be distracted from your original issue:

 

since NAT does not appear to work, did you make sure the new NAT rules are in the proper order for them to match? rules are evaluated top to bottom with the first positive match being used. this could mean rules further down the rulebase are not hit as a preceding rule is too generic and you will need to reorder your rules

 

you can check if your rules exist on the dataplane by using the following command:

 

show running nat-rules

 

then see if the new rules exist or not

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks, Reaper.

 

As you suggested the checked the newly created NAT rule. However, I found that in the NAT rules list. 

The command you shared not worked. But I tried with <show running nat-rule-ippool rule "Bi-Nat Rule 12-1">

 

Also, I would like to update not only the newly created NAT is not working. even an existing policy that allowing traffic from a specific source also not working when we added a new source in that. 

 

Amar

L6 Presenter

In some cases saving a snapshot of the config, a fast factory default reset and again loading the config resolves such issues. If your firewall i in HA this is a thing that the TAC does many times

 

 

Before that check for commit errors:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG

Cyber Elite
Cyber Elite

Apologies, the correct command is 

Show running nat-policy

 

Try the following:

> Configure

# commit force

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Tired the <commit force> still the problem is same.

Amar
  • 3938 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!