07-27-2020 11:18 AM
I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone
There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - Create an address object for 2.2.2.2.
Application - ANY
services - ANY
Action - Allow
no security profile.
Policy(2):-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.
I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible why this strange behaviour i am not able to find out.
once i applied policy -2 the traffic has been dropped.
PAN-OS version - 9.0.9-h1
07-27-2020 02:29 PM
Hello,
I would say make sure you have logging enabled on the policy and check the logs to see why the PAN is denying the traffic.
Regards,
07-28-2020 03:00 AM
Yes , i have checked the same , once i applied policy-1 it will bypass all the policy and heat directly to deny any-any.
And i can see the traffic is dropped.
07-28-2020 07:34 AM
Hello,
This is definitely interesting. I would suggest opening a support case and see what they can find.
Regards,
07-28-2020 10:11 AM
I will say check the objects, addresses then look for source and destination address.
Make sure under IP netmask it is 1.1.1.1
or 2.2.2.2
Regards
07-28-2020 10:44 AM
Thanks for your reply, my concern is why the firewall deny traffic once i configure the security policy-1 and given the IP address in destination, however, once i created the object for the same IP address and allow in destination all are working fine.
This issue is occurring only for one IP address rest are working fine.
I am not able to find out the reason.
07-28-2020 11:59 AM
You can do the PCAP on the firewall then you will have more info why PA is denying the traffic.
Regards
07-28-2020 12:07 PM
I took the packet capture and found the SYN packet is going towards the server but didn't get any ACK from the server side.
then TCP retransmission packet has been captured.
07-30-2020 07:35 AM
Just curious do you find solution for this?
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
