05-31-2022 07:58 AM
Hello! I am having quite a few strange behaviors from the Palo Alto firewalls. I have a rule for an entire subnet (10.209.82.0/24) to be allowed from inside to outside zones via any port to any IP address yet there is still somehow traffic being denied. Obviously, this isn't the greatest from a security perspective, but I arrived there out of frustration and trying to get this to work. This is happening with a few other rules as well. I have one that allows 10.209.69.0/25 out to any IP and any port. This one is odd because 10.209.69.110 can match this rule and successfully get out to a public resource that it builds a VPN tunnel to, but 10.209.69.111 doesn't match that rule at all and ends up hitting the default deny rule. I have double checked the objects over and over to ensure the subnets are correctly configured. A basic NAT is setup to NAT inside to outside to the outside IP address of the Palo Alto, which does work for everything else. I'm able to browse the web and most other functions within the data center (too many to list) are working correctly. I'm just starting to have more and more wonky issues like this lately.
05-31-2022 08:19 AM - edited 05-31-2022 08:21 AM
Delete application-default and try again...
You are trying connect to port 10000 and open-vpn use tcp/1194, tcp/443, udp/1194
Name: open-vpn |
Standard Ports: tcp/1194, tcp/443, udp/1194 |
Depends on: ssl, web-browsing |
05-31-2022 08:05 AM
Hello,
Have you checked that the subnets are configured correctly on the interfaces within the zone you are writing in your security rule?
Maybe you can share a screenshot with traffic logs and security rule for check it.
Regards
05-31-2022 08:13 AM
Thanks for your response! I have checked that the subnets are correct a few times. I keep questioning that myself, but they are correct. Here's two screenshots. One of the actual rule configured, which is essentially wide open for that subnet. The second is a screenshot of the logs where traffic has been denied today.
05-31-2022 08:19 AM - edited 05-31-2022 08:21 AM
Delete application-default and try again...
You are trying connect to port 10000 and open-vpn use tcp/1194, tcp/443, udp/1194
Name: open-vpn |
Standard Ports: tcp/1194, tcp/443, udp/1194 |
Depends on: ssl, web-browsing |
05-31-2022 09:00 AM
That was it! This resolved so many issues for me. I couldn't understand how traffic wasn't matching for quite a few other apps/functions within my network. I greatly appreciate the help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
