This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using IP wildcard masks in security policy rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using IP wildcard masks in security policy rules

RandyQueen
L0 Member

‎03-11-2022 12:10 PM

I have been adding IP wildcard objects into security policy rules and they have been working until yesterday when I added some new rules with several wildcard objects.  I have looked on the support site to see if there are any limitations on how many wildcard objects you can use in a rule and/or in a policy and I have not found anything.  I have opened a ticket on the support site, but wondering if anyone else has seen any issues using wildcard masks for objects using v9.1.

 

Thank you

0 Likes Likes
2 REPLIES 2

kiwi
Community Team Member

‎03-17-2022 03:22 AM

Hi @RandyQueen ,

 

Were you able to get an answer ?

Are you seeing some error while configuring the rules or are they just not working as you'd expect ?

Any chance to provide some more details ?

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

RandyQueen
L0 Member
In response to kiwi

‎03-17-2022 06:27 AM

No, I did not get an answer.  I am still waiting on an engineer to connect with me to review what happened as well.

 

We have over 2000 stores and we use the same IP address scheme in each of our stores - the last octet is the same for each device in each store, so we had been using EDLs for the devices and using up a lot of IP addresses.  We have been cloning existing rules and swapping the EDL for a wildcard mask and after confirming it was hitting the new rule, we would remove the EDL in the previously used rule and validate that traffic was not interrupted and hitting the new rule.  It had been working for several weeks, until the last rules that we created.  The traffic did not hit the new rule and for some reason even bypassed the existing rule and traffic was being blocked because it was hitting a rule further down the stack that did not have the same privileges.  The rules created were for one type of device and even traffic for a different device that had been working suddenly was not hitting that rule and getting blocked.

 

I could not find much documentation on the support site other than an explanation of how the wildcard worked and explaining that there could be issues with overlapping based on how much of the binary string was matched.

 

Thank you for asking,

 

Randy

0 Likes Likes
  • 2469 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks