The Rule is allowed but hit policy-deny?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

The Rule is allowed but hit policy-deny?

Hi,

Recentely the firewall upgraded from 6.1.5 to 8.1.6 but after upgrading there is something strange, there is a allowed rule but in monitor tab it hit deny, i tried to move it to top but still the same issue ( Session End Reason: policy-deny ).

 

Any help will be highly appricated

 

Thanks

Tags (3)

Accepted Solutions
Highlighted
L4 Transporter

web-browsing standard port is tcp/80, your traffic is to tcp/8080 . And your policy will be to allow web-browsing only on standard ports, so it wont match to policy.

You need to allow web-browsing over tcp/8080 in security policy.

web-brows.PNGpolicy.PNG

 

View solution in original post


All Replies
Highlighted
Cyber Elite

@DPWorld,

Can you include a screenshot of the rule that the traffic should be hitting along with an example of the detailed log view of the traffic that is hitting the interzone-default policy. 

Just to verify as well, are you actually hitting the interzone-default policy? If you are hitting the allow security entry that you expect, with the action being allow but the SER being policy-deny, you could possibly simply be running into a certificate pinning issue if you are running decryption. 

Highlighted
L4 Transporter

Hi @DPWorld ,

 

As you have moved from 6 to 8, there are changes to default actions in PA,

Check whether you are hitting the below policy behaviour change,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFtCAK

 

Highlighted
L1 Bithead

PA.JPG

Highlighted
L4 Transporter

web-browsing standard port is tcp/80, your traffic is to tcp/8080 . And your policy will be to allow web-browsing only on standard ports, so it wont match to policy.

You need to allow web-browsing over tcp/8080 in security policy.

web-brows.PNGpolicy.PNG

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!