Rules proccessing

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Rules proccessing

L4 Transporter


i have a problem that traffic does not match to a rule

i have this rule

"VIP Users" {

                  profile-setting {

                    profiles {

                      file-blocking "Allowed file type-VIP";



                  option {

                    disable-server-response-inspection no;


                  from any;

                  to any;

                  source any;

                  destination any;

                  source-user [ "cn=vip internet......."];

                  category any;

                  application any;

                  service any;

                  hip-profiles any;

                  action allow;

                  log-start no;

                  log-end yes;

                  negate-source no;

                  negate-destination no;

                  disabled no;


and i can see in the logs that the traffic is matching on a lower rule, which have security profile on it, and i cannot understand why

the "VIP Internet" is a security group and the user is a member of this group and "show user ip-user-mapping ip x.x.x.x" with the client ip is showing this group under the mapped user

i have also try the

test-security-policy command and also the result is matched on a lower rule

what i don't understand is:

1) does the test-security-policy calculates the current group membership?

2) i know that PA will change the applied rule if a more specific application signature is matched, but if i have upper rule with the application "any" so the more specific app is inside the "any" application am i right?

3) how can i troubleshoot it deeper?


L7 Applicator

Hello Minow,

If I understand it correctly, the security policy "VIP Users" is placed on the top of the policy table.

Could you please verify the traffic logs (user name), which is not hitting the first rule " VIP Users":


The Users on the security policy can be one of the below mentioned options: Any, Pre-login, unknown,known-users, select.

known-user—Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the “domain users” group on a domain.  >>>>>>>>>>>>> Could you please check if you have mapping for that user on PAN firewall.

CLI command to verify: > show user ip-user-mapping ip x.x.x.x ( IP address)

Select—Includes selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users.

Note: If you are using a RADIUS server and not the User-ID Agent, the list of users is not displayed, and you must enter user information manually.


  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!