04-06-2021 01:51 AM
Hi All,
I'm new to Palo so hope you guys can help me understand something.
We have two almost identical security policies that allow traffic via ports tcp/443 and 80. The first policy uses App IDs, ssl and web-browsing. The second policy uses services tcp/443, 80. My expectation is that the second policy should never be hit since ports 443 and 80 are allowed by the first policy, but this is not the case. Both policies receive a lot of hits on port 443.
My question is, why is the first policy bypassed for tcp/443 traffic?
Thanks!
04-06-2021 05:55 AM - edited 04-06-2021 05:58 AM
This sounds like an Application Shift. The Palo Alto device needs some packets to pass to match the application and service based policy doesn't. Please read carefully the article below:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0#A10
Also use policy trace to see which rule you match if as Sutare said you have some bad config:
04-06-2021 04:10 AM
Hi @Inelse ,
If traffic is matching second policy then there is something configured in first policy which is very specific (zones, addresses etc) and not matching the traffic which you're looking for.
Is it possible to share the snap of both policies as well as the traffic log which shows it is matching the second policy to get more understanding?
04-06-2021 05:55 AM - edited 04-06-2021 05:58 AM
This sounds like an Application Shift. The Palo Alto device needs some packets to pass to match the application and service based policy doesn't. Please read carefully the article below:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0#A10
Also use policy trace to see which rule you match if as Sutare said you have some bad config:
04-07-2021 02:25 AM
Thanks Nikolay and Sutare for your responses.
Both rules are identical with the exception that one is using App-ID, the other Services.
Nikolay, your theory makes sense and looks like this is what's actually happening.
So if we disable the service based rule, does this mean that most of the tcp/443 traffic will be blocked? Is there a way to allow any web traffic using App ID without having to specify all possible apps (eg. google, youtube, etc)?
Thanks!
04-07-2021 02:48 AM
Can you just in case place the App-ID rule on top of the service port rule and make certain that the App-ID rule matches the default web-browsing application and all child applications as in many the cases the application will be evaluated as web-browsing and then there could be an application shift and again the policy will be evaluated and there should be a rule before the service port rule that also allows more specific application after the application shift.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/application-default.html
You may use the policy optimizer to see what Applications the the port based rules matches and make app id rules that are placed before the port based rule (read a lot for the policy optimizer and it may do your job for you and be super easy 😞
04-07-2021 04:29 PM
Thanks Nikolay.
It looks like we would have to leave the two rules active as they are. I've checked the applications that are detected by the service port rule and there are just too many. This rule is for general user web traffic so can't be too restrictive.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
