04-07-2026 10:55 PM
I have a question and would like some advice!
We currently operate by applying an “any-any deny” policy at the bottom of the stack and opening ports only for necessary traffic.
I noticed that the hit count is increasing on the “intrazone-default” allow policy at the bottom, even though the “any-any deny” policy is in place.
I enabled logging for the intrazone policy and checked the traffic logs, but most applications show up as “traceroute” or cannot be verified.
Also, while packets are being sent, no received packets are being confirmed.
Could someone explain why the hit count is increasing on the intrazone-default policy even though the any-any deny policy is in place?
Thank you!
04-07-2026 11:17 PM
Hello @JoohyeongLee ,
I assume that your "any-any deny" rule is configured with the service "application-default".
When you select 'application-default' in the Service field of a security policy rule, it means that the specified applications are allowed or denied exclusively on their default ports as defined by Palo Alto Networks. For example, if the DNS application uses TCP port 53 and UDP port 53, this setting would only permit DNS traffic on those specific ports.
The Palo Alto Networks firewall, using its App-ID technology, continuously identifies applications traversing the network regardless of the port or protocol being used. Even when 'application-default' is selected, the firewall still checks for all applications on all ports .
Palo Alto Networks firewalls generally require a maximum of 4 packets or 2000 bytes of data in either direction (not including the TCP handshake) to recognize an application using App-ID. In most cases, the application is identified before this amount of data is received.
So, the intrazone traffic will not match your "any-any deny" rule until App-ID engine recognize and label that traffic.
I recommend that for all your deny rules to setup service "any" and not "application-default".
04-07-2026 11:39 PM
Hello. Thank you for your reply!
However, in the policy, everything—including the service port—is set to “any.”
Thank you!
04-08-2026 01:11 AM
This behavior is expected because the intrazone-default rule is still allowing same-zone traffic. To ensure your “any-any deny” rule applies to all traffic (including intra-zone), you should configure it as a Universal policy instead of an Interzone policy.
Explanation
In Palo Alto Networks, security policies can be defined as:
• Interzone → applies only to traffic between different zones
• Intrazone → applies only to traffic within the same zone
• Universal → applies to both interzone and intrazone traffic
If your “any-any deny” rule is configured as Interzone, it will not match intra-zone traffic. As a result, same-zone traffic will fall through and hit the default:
• intrazone-default → allow
This explains why you are seeing increasing hit counts on the intrazone-default rule.
Why You See Traceroute / Incomplete Traffic
The traffic showing as:
• traceroute
• unknown / incomplete
• sent packets with no return
is typically:
• Probing traffic (traceroute, monitoring tools)
• One-way traffic
• Asymmetric routing scenarios
Since this traffic is intra-zone and not matched by your deny rule, it is allowed by intrazone-default.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
