Shadow Rule warning

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Shadow Rule warning

L2 Linker



When apllying a rules in PA I get the warning message re shadow rule.

I have two rules where 


rule 1 allows SSL between source and dest on standard SSL port 

rule 2 allows SSL between the (same) source and dest on a non standard SSL port 


I get a warning about rule 1 shadowing rule 2


How can I combine ther two rules so that I do not get that warning anymore 

I always assumed that the  two rules could not combined as one rule uses a custom ports.




L7 Applicator

maybe i've missed something here but just have rule 2 as it covers rule 1.





L7 Applicator

its like saying..


1, allow fred to go to tescos with green shoes

2, allow fred to go to tescos with any colour shoes..


1. is pointless, fred gets to tescos regardless of shoe colour,


i would imagine that despite different shoe colours, fred will collect the same ammount of clubcard points on equal purchase, but that may be of no relevance here...



Cyber Elite
Cyber Elite


Are you utilizing app-id in either of the rules? If the answer is yes, you would have to do the following to combine them. 

1) Lookup the standard ports for the listed application, 'SSL' for example. Since it defaults to tcp-443, you would utilize service-https which is included as a service by default. Then for your non-standard port (I'll call it tcp-444) you would build a custom service object that work match for protocol TCP on destination port 444. Then you could allow 'SSL' with the service set as [ service-https tcp-444 ] and all traffic would match this one rule. 


2) You could build out a custom app-id signature that would match the non-standard port. Then you would simply maintain one rule that has the application as [ ssl 'custom-app' ] and traffic would match this one rule. 


3) You could not be using app-id at all, in which case you only actually need to build a service object for the non-standard SSL port and at it into the first rule. 




I think what's happening is that a rule exists that allows application 'SSL' on service 'applicaiton-default', which would cover the standard traffic. 

Then there is another rule that allows application 'SSL' on service 'custom-service'. 




The one thing that I would caution here when setting an identified application to specified services, is to make sure that the app-id updates don't make any changes to how this traffic is actually identified. If your 'custom-app' or whatever is using a custom port gets categorized in a future update as 'splunk', then this rule will stop matching the traffic properly. 

L2 Linker

I have this issue as well.  And while the example is kindergarten simple, the problem continues in many permutations.

I create a rules allowing the many microsoft services that Non-Controllers use between some server networks.

Then I have to make a rule for web-browsing on a non standard port (TCP9201) involving some of the same servers.




Despite that there is NO shadowing whatsoever.  The first rule doesn't allow the traffic the second rule allows. I can't combine them-because that would permit many permutations ot use non-standard ports that should be blocked. 

Clearly the shadow logic completely ignores the SERVICE field of all rules. So many of my non-default port rules are "shadowed" if their protocol was previously allowed with any other service configured.   This is just bad logic on PaloAlto's part.


I think you hit the nail on the head.  In my case:


external-IP-1 has a rule to NAT to internal-IP-1 on service HTTPS

external-IP-1 has a rule to NAT to internal-IP-2 on service HTTP


Same external IP but different internal IP is giving me a shadow rule.  These are bi-directional rules but my understanding is the 'hidden rule' created using bi-directional rules will still abide by the service and therefore not create a shadow rule?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!