This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Rules with schedules failing intermittantly

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rules with schedules failing intermittantly

jdprovine
L4 Transporter

‎03-01-2018 12:32 PM

I recently upgraded to OS 7.1.15 on my PA 5050, I have two rules with schedules on them and have had for over a year.  In the traffic logs it was showing the traffic going back and forth between denying and allowing the traffic.  When I removed the schedules they worked with no issues. Any ideas what could be going on?

0 Likes Likes
10 REPLIES 10

reaper
Cyber Elite
Cyber Elite

‎03-02-2018 02:30 AM

what does the policy look like and how is the schedule set? are you seeing both allow AND deny happening on the same rule?

 

the behavior for an allow rule, with a schedule 9am-11am should be:

  • connection at 8:50 is processed by a rule below the one with schedule, blocked/allowed by a different rule
  • connection at 9:01 is allowed by rule
  • (new) connection at 11:01 is processed by a rule below the schedule one, existing session that was allowed by policy is still active and will be left to live it's life (unless action is taken to terminate the session)

 

the behavior for a deny rule, with a schedule 9am-11am should be:

 

  • connection at 8:50 is processed by a rule below the one with schedule, blocked/allowed by a different rule
  • connection at 9:01 is blocked by rule
  • (new) connection at 11:01 is processed by a rule below the schedule one, here is a bit of a caveat: if appID is let to create a session before hitting the block rule (eg your block rule is built with applications rather than ports, a session first needs to be created before being able to block based on the app) an existing 'discard phase' session could still be blocking packets matching the tuples after the schedule ends (this is measured in seconds to a few minutes, usually)

so if you could provide a little more detail, that would be helpful 🙂

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jdprovine
L4 Transporter
In response to reaper

‎03-02-2018 05:37 AM - edited ‎03-02-2018 05:39 AM

@reaper

Yes I am seeing both allow and deny on the same rule within seconds.  Its been working consistently for over a year until this week. I upgraded the PA to 7.1.15 from 7.1.13 a week ago. I also reset the regions around the same time. This was allowing our student access to certain server/application from a specific wireless IP range to a specific IP. the rules are built with applications not ports, we took off several things(put them back if it didn't fix it) before we found that removing the schedule fixed it

Here is the schedule information:

 

schedule.PNG

 

 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jdprovine

‎03-02-2018 05:46 AM

hm... that's not supposed to happen...

 

the schedule should make the rules 'invisible' outside of the schedule so they get passed by when the 'decission making process' happens, not reverse the action ...

 

have you reached out to support on this already? If not I'd do that asap 😕

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jdprovine
L4 Transporter
In response to jdprovine

‎03-02-2018 05:47 AM

@reaper

 

here is a sample of the traffice and is bouncing betweening allowing and dropping the traffic with in minutes. It is being denied by the clean up rule and goes off and on through the rule designed to allow the traffic

traffic.PNG

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jdprovine

‎03-02-2018 05:49 AM

hi @jdprovine

 

ok, that looks more normal than I first expected 🙂

would you mind adding the rest of the log in there to get a more complete view? (feel free to obfuscate sensitive data ofcourse)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jdprovine
L4 Transporter
In response to reaper

‎03-02-2018 05:58 AM

@reaper

I feel like a politician redacting classified information this isn't pretty but here it is

 

traffic.PNG

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jdprovine

‎03-02-2018 06:55 AM

@jdprovine

Ok, that does look pretty weird

I fear you will need to have a little chat with support about this

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jdprovine
L4 Transporter
In response to reaper

‎03-02-2018 08:02 AM

@reaper

 

Yup I opened a case with TAC yesterday and am collecting information for them now. I do have a lot of issues that seem to fall outside of the norm

0 Likes Likes

jdprovine
L4 Transporter
In response to reaper

‎03-02-2018 08:03 AM

@reaper

 

Forgot to say is it weird cause of the way I redacted it or how it is behaving LOL 😛

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jdprovine

‎03-02-2018 10:57 AM

@jdprovine haha! Because of the behavior, I won't comment on your 'paint' skillz 😉
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3405 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks