We have a cluster in PanOS 8.1.2. Suddenly we were reported that several users didnt work properly. We went to the active node and saw this:
In order to solve quickly we decide to do a failover. After that i worked properly.
So we would like to know why in a node the behaviour is strange. So PA is applying rule wrongly. Its applying the rule "Infected PCs" to connections where source IP shouldnt match.
This only happens in passive node. Active node is working fine. config is sync. Its a weird behaviour.
Why PA is matching sessions if the rule is filter by sourceIP??
You might want to open a TAC case if you havent already. There are code versions after the one you are on and there could be fixes for this issue in the newer ones. You can check by reading through the release notes of hte newest one as they contain a cumulative release note log, i.e. 8.1.4 will contain all release notes from 8.1.0 -8.1.4.
First off I would really keep any 8.1 installs up-to-date if you're going to run it in production; early versions of 8.1 are riddled with bugs that have since been addressed. I would just go ahead and install 8.1.4-h2.
To your specific issue at hand there are a few addressed-issues within 8.1 that deal with the incorrect security policy being applied for a number of various reasons, esspecially of NSX changes if that's how your pulling that address group. I would also really look at the addresses assigned to the address-group and verify that the active unit didn't happen to incorrectly add an address if it's populated dynamically.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!