Unexpected behaviour in security policy

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Unexpected behaviour in security policy

I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone

There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - Create an address object for 2.2.2.2.
Application - ANY
services - ANY
Action - Allow
no security profile.

 

Policy(2):-

sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.

I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible why this strange behaviour i am not able to find out.

once i applied policy -2 the traffic has been dropped.

PAN-OS version - 9.0.9-h1

Cyber Elite

Hello,

I would say make sure you have logging enabled on the policy and check the logs to see why the PAN is denying the traffic.

 

Regards,

Highlighted
L4 Transporter

@OtakarKlier 

Yes , i have checked the same , once i applied policy-1 it will bypass all the policy and heat directly to deny any-any.

And i can see the traffic is dropped.

 

 

Highlighted
Cyber Elite

Hello,

This is definitely interesting. I would suggest opening a support case and see what they can find.

 

Regards,

Highlighted
Cyber Elite

@Jafar_Hussain 

 

I will say check the objects, addresses then look  for source and destination address.

Make sure under IP netmask it is 1.1.1.1

 

or 2.2.2.2

 

Regards

MP
Highlighted
L4 Transporter

@MP18 

Thanks for your reply, my concern is why the firewall deny traffic once i configure the security policy-1 and given the IP address in destination, however, once i created the object for the same IP address and allow in destination all are working fine.

This issue is occurring only for one IP address rest are working fine.

I am not able to find out the reason.

Tags (1)
Highlighted
Cyber Elite

@Jafar_Hussain 

 

You can do the PCAP on the firewall then you will have more info why PA is denying the traffic.

 

Regards

MP
Highlighted
L4 Transporter

@MP18 

I took the packet capture and found the SYN packet is going towards the server but didn't get any ACK from the server side.

then TCP retransmission packet has been captured.

Highlighted
Cyber Elite

@Jafar_Hussain 

 

Just curious do you find solution for this?

 

Regards

MP
Highlighted
L4 Transporter

@MP18 

Not yet.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!