Unexpected behaviour in security policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unexpected behaviour in security policy

L4 Transporter

I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone

There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - Create an address object for 2.2.2.2.
Application - ANY
services - ANY
Action - Allow
no security profile.

 

Policy(2):-

sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ zone
destination IP - 2.2.2.2
Application - ANY
services - ANY
Action - Allow
no security profile.

I can access 2.2.2.2 by policy(1) but when i apply policy(2) it is not accessible why this strange behaviour i am not able to find out.

once i applied policy -2 the traffic has been dropped.

PAN-OS version - 9.0.9-h1

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello,

I would say make sure you have logging enabled on the policy and check the logs to see why the PAN is denying the traffic.

 

Regards,

@OtakarKlier 

Yes , i have checked the same , once i applied policy-1 it will bypass all the policy and heat directly to deny any-any.

And i can see the traffic is dropped.

 

 

Hello,

This is definitely interesting. I would suggest opening a support case and see what they can find.

 

Regards,

@Jafar_Hussain 

 

I will say check the objects, addresses then look  for source and destination address.

Make sure under IP netmask it is 1.1.1.1

 

or 2.2.2.2

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

@MP18 

Thanks for your reply, my concern is why the firewall deny traffic once i configure the security policy-1 and given the IP address in destination, however, once i created the object for the same IP address and allow in destination all are working fine.

This issue is occurring only for one IP address rest are working fine.

I am not able to find out the reason.

@Jafar_Hussain 

 

You can do the PCAP on the firewall then you will have more info why PA is denying the traffic.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

@MP18 

I took the packet capture and found the SYN packet is going towards the server but didn't get any ACK from the server side.

then TCP retransmission packet has been captured.

@Jafar_Hussain 

 

Just curious do you find solution for this?

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

@MP18 

Not yet.

  • 4408 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!