The Rule is allowed but hit policy-deny?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

The Rule is allowed but hit policy-deny?

L1 Bithead

Hi,

Recentely the firewall upgraded from 6.1.5 to 8.1.6 but after upgrading there is something strange, there is a allowed rule but in monitor tab it hit deny, i tried to move it to top but still the same issue ( Session End Reason: policy-deny ).

 

Any help will be highly appricated

 

Thanks

1 accepted solution

Accepted Solutions

web-browsing standard port is tcp/80, your traffic is to tcp/8080 . And your policy will be to allow web-browsing only on standard ports, so it wont match to policy.

You need to allow web-browsing over tcp/8080 in security policy.

web-brows.PNGpolicy.PNG

 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@DPWorld,

Can you include a screenshot of the rule that the traffic should be hitting along with an example of the detailed log view of the traffic that is hitting the interzone-default policy. 

Just to verify as well, are you actually hitting the interzone-default policy? If you are hitting the allow security entry that you expect, with the action being allow but the SER being policy-deny, you could possibly simply be running into a certificate pinning issue if you are running decryption. 

L4 Transporter

Hi @DPWorld ,

 

As you have moved from 6 to 8, there are changes to default actions in PA,

Check whether you are hitting the below policy behaviour change,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFtCAK

 

L1 Bithead

PA.JPG

web-browsing standard port is tcp/80, your traffic is to tcp/8080 . And your policy will be to allow web-browsing only on standard ports, so it wont match to policy.

You need to allow web-browsing over tcp/8080 in security policy.

web-brows.PNGpolicy.PNG

 

  • 1 accepted solution
  • 12120 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!