UDP log that hit any deny rule and show allow

Reply
Highlighted
L2 Linker

UDP log that hit any deny rule and show allow

Hello, i have a question about UDP session

 

rule 34

untrust any

trust any

app icmp, traceroute, ping

service any

action allow

 

rule 214

any any deny

 

20180616_111325.png

 

 

you can see allow log hit rule 214

i found similar case about tcp.

https://live.paloaltonetworks.com/t5/Management-Articles/Action-Configured-in-Security-Rules-and-See...

 

i think UDP session was created hitting rule 34 but don't understand UDP log showing allow and hit rule 214

Could you explain this log?

Best regards.

Highlighted
L7 Applicator

Re: UDP log that hit any deny rule and show allow

@hbshin,

It might help if you expand one of the sessions so that we can actually see what happened. Just the log doesn't really tell anyone much, but it likely has to do with the fact that you are allowing icmp, traceroute, and ping on service any with an action of allow. My guess would be that if you look at the actual session you'll see something a little different than what the base log is showing in your traffic logs. -

Highlighted
L7 Applicator

Re: UDP log that hit any deny rule and show allow

@hbshin

It could be exactly the same behaviour as described in the article you mentionned as the applications in your screenshot are also analysed with a decoder. When you enable the start log or even better with a flow basic analysis you probably find out more about this.

 

But besides this behaviour with allow logs for a deny rule. From your screenshot it looks like your trust zone has private IP addresses (RFC1918), so may I ask you why you have a rule allowing ping, icmp and traceroute from the internet towards your internal network?

 

And: do you still have these "allowed"-deny-logs when you set the service in rule 34 to application-default?

Highlighted
L2 Linker

Re: UDP log that hit any deny rule and show allow

Hello, @vsys_remo

 

why you have a rule allowing ping, icmp and traceroute from the internet towards your internal network?

- it replaced old checkpoint firewall

 

And: do you still have these "allowed"-deny-logs when you set the service in rule 34 to application-default?

- There is no allowed log in rule 214 after set the service in rule 34 to application-default

 

when allowed log created i was doing HA A-P Failover test.

There was always System log that HA state change from passive to active between Start time and Receive time in allowed log   

In other words, i think allowed log session was started on peer.

 

Best regards.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!