This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Traffic hitting policy rule it shouldn't
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Traffic hitting policy rule it shouldn't
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-16-2020 05:57 AM
Hi,
PanOS 9.1.0
I need to block traffic to certain websites and domains.
I created a URL Category object and put just one site inside (example.com).
I then created a firewall rule like this:
Source zone: LAN
Source address: any
Dest Zone: WAN
Dest address: any
Application: any
Service/URL Category: my URL Category Object
Action: ALLOW
(I put it on Allow because for at first I just wanted to check what traffic is hitting this rule).
I immediately noticed a very high hit count on the rule and when I viewed the rule logs I noticed it is allowing loads of traffic that doesn't relate to example.com
I'm affraid if I put this rule to Block it will block my outgoing traffic.
What am I missing
11 REPLIES 11
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-16-2020 10:19 AM
My testing shows that it works as intended. If your traffic was allowed after changing that rule to action 'Deny', I would look into the order of the security policy rules and make sure that another rule didn't allow the traffic.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-16-2020 10:33 AM
I don't have log at session start, only at session end.
And I checked again, and the traffic is allowed in a rule that is after my block rule.
So that's strange why the fw can't determine the URL category.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-16-2020 10:36 AM
What are the URL's in the URL category? Can you test with 'example.com'?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-16-2020 10:39 AM
For testing purposes I tried with 'sega.com' 🙂
Related Content
- IKE phase 1 not working in General Topics
- VM series firewalls not sending logs to Panorama in General Topics
- Traffic getting hits on non-allowed URLs in General Topics
- Traffic hits on the ruler but does not show on the monitor in General Topics
- Traffic stops hitting when one of two FQDN objects in policy not resolvable in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks