06-30-2022 08:08 AM
A simple rule is created in my firewall, where the traffic is allowed from our servers to the fqdn which is reaiding in internet. Application is as any and in service 443 is allowed.
Sometimes firewall is allowing the traffic , sometimes it is denying.
The only difference which i observed on the log is action source. If action source is from-policy traffic is allowed and if it is from-application traffic is blocked.
I tried modifying the rule by adding ssl and web-browsing, but no luck
Please suggest here.
07-01-2022 12:42 AM
Hi @Abhishekrs987 ,
I am almost certain that the problem is caused by the FQDN object. More specifically the FQDN you are trying to reach is using DNS loadbalaning which will return differen IPs every few requests.
What (most probably) is happening is that:
- By default firewall is making DNS request every 30mins to resolve the FQDN object used in the policy. When it receive reply it will cache all the IPs and use them in the policy (for the next 30mins). After 30mins it will repeat the process and if it receives different IPs it will replace them in the allow rule.
- Every time user tries to reach the FQDN it will make new DNS request (of course it will cache the reply, but untill the TTL expires).
One way you can try to solve this is to tell the firewall to use the TTL in the DNS response. This will have benefit for FQDNs with short TTL. The problem is it could bring additional load to the management plane (it will force the firewall to make additional DNS queries and constantly updating the policy).
Unfortunately I am not sure that will help agains DNS round robin load balancing, where almost every DNS request receive different reply. I think I have seen such with some Office365 or Azure services....cannot remember specific exmaple right now.
07-06-2022 11:11 PM
Thanks for the response. It is very informative.
But the fqdn which i created is tools1.cisco.com, when i tried resolving it everytime it resolves to a single IP and even in the logs for both the deny and allow logs i am seeing same ip in the destination
07-07-2022 01:31 AM
Hi @Abhishekrs987 ,
Interesting...I can see this FQDN also has very long TTL. Are you able to provide screenshot from your rule and from defailed log view (magnifing glass on the far left of the log entry) for both allowed and denied traffic. Feel free to obfuscate any sensitive information (IP addresses, source users, zone names)
I just re-read your question - as mentioned here - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...
Action Source will specificy where the final action was defined by the rule or by the application. It should be normal to see "from-application" when traffic is blocked. This is because each application definition has "deny action", which will tell the firewall how what to do when it denies the traffic. This is important, because some applications are sensitive and when connection is denied, FW needs to send TCP RST or the connection will stall on either the client or the server.
I am intersted to see the "Session End Reason" log field for both allowed and blocked traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
