policy is clear yet traffic is still DENIED

Showing results for 
Show  only  | Search instead for 
Did you mean: 

policy is clear yet traffic is still DENIED

L1 Bithead

hi all, we have a policy that clearly states FROM and TO objects and SMB_override (custom app, I presume, created earlier) as the application. The service is configured as Application-default. As per Monitor, it goes straight through to the deny rule ignoring our Allow rule. The application is correctly identified, the port is right. all looks good. Yet it's being denied. It's not the first time PA does it. It's very frustrating. People now want ANY to ANY because PA works half the time


Accepted Solutions

If the rule isn't there on the firewall, that means it hasn't been pushed down from Panorama yet, which would explain why the traffic is hitting the deny rule

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

View solution in original post


Cyber Elite
Cyber Elite


What version of PAN-OS are you running? It doesn't give a lot of confidence that you are talking about using a custom app-id entry and you're presuming how it was configured if I'm being honest. How was the custom app-id configured? Are you using an application-override policy to override the traffic to your custom SMB_override app-id entry, or are you relying on a signature to identify the traffic? 


When you log into the CLI and run the test security-policy-match command and enter the traffic exactly as displayed in one of the denied log entries is it showing a match in your security rulebase? If you can, share a few copies of the log that isn't matching the target security rulebase entry and the actual entry; chances are something is just improperly configured. 

Thank you, appreciate your help. We are running 9.0.9

Just a basic policy with a custom application. Basic custom app (SMB_Override) with a port (tcp/445). PA correctly recognizes it. I can do screenshot. I can see in the logs it's tcp 445. Yet it just does not work. It's not the first time.


I just had a look and the policy is set to "universal". all the rest are Interzone.


Screenshots would help a lot in this case. The issue with the custom app-id is really more to do with how it, and associated rulebase entries, have been configured. Does your SMB_override have a default port of tcp/445 listed so that your application-default on the service will actually function? Are you using a signature to identify the traffic or an application-override entry? I would assume with something named SMB_override you are simply using an application-override entry to disable layer7 processing on SMB traffic. 


Generally speaking, the firewall won't simply skip processing the traffic properly. More than likely, the denied traffic isn't actually 100% matching something within the security rulebase entry. That could have something to do with how the application-override (assuming there is an entry) is setup, or how the security rulebase entry itself is setup. Something however is causing the firewall to think that traffic doesn't match anymore. 


no signature. A strict default port. That is hard set in the app.


it is logical that it shouldn't just skip.


new update: I am looking at the firewall direct and the rule is missing all together, whereas in Panorama it's there. It could be that when new policy was created and was not pushed?


app group.jpg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!