Permit statement isn't capturing all the traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Permit statement isn't capturing all the traffic

L1 Bithead

We have a school tied to our organization that's using a PA-850 and is running 10.1.6, and we're trying to get Battle.net working. After considerable troubleshooting, I put in a rule at the very top to permit the "zESports" zone to get to any IP on any zone. See the eSport_to_all_rule image. For some reason, some packets completely bypass this rule and makes their way to the very last rule, which is the interzone-default. This rule resets both ends of the connection, and it's shown in the eSports_reset-both image below.

 

eSport_to_all_rule 

eSports_reset-both 

 

Most of the packets between the two hosts traverse just fine, but the resets come generally after a GET request. I'm not seeing the destination IP in any of the logs, outside of the Traffic log. Does anyone have an idea? Thanks

1 accepted solution

Accepted Solutions

L6 Presenter

Not seeing the images, you put them on OneDrive or something... need to post them here.

 

By default, the intrazone-default and interzone-default rules do not log traffic. Select each from the Security rule list and then click the "Override" button in the bottom task bar and you can then enable logging on the rule. You may also want to enable both start and end logging for the defaults and your special rule. The 2 Traffic log entries may then tell you something about the traffic being identified initially under one rule and then being reclassified to a different rule later.

 

It is important to remember that the PA doesn't work on top-down processing like a traditional firewall, it works on most-specific-match processing. So if the detected category/application/etc. changes as the PA processes more and more packets in the stream, it may suddenly jump to a different Security rule.

View solution in original post

3 REPLIES 3

L6 Presenter

Not seeing the images, you put them on OneDrive or something... need to post them here.

 

By default, the intrazone-default and interzone-default rules do not log traffic. Select each from the Security rule list and then click the "Override" button in the bottom task bar and you can then enable logging on the rule. You may also want to enable both start and end logging for the defaults and your special rule. The 2 Traffic log entries may then tell you something about the traffic being identified initially under one rule and then being reclassified to a different rule later.

 

It is important to remember that the PA doesn't work on top-down processing like a traditional firewall, it works on most-specific-match processing. So if the detected category/application/etc. changes as the PA processes more and more packets in the stream, it may suddenly jump to a different Security rule.

L1 Bithead

intrazone-default was configured to log traffic, so we do see it. We just got it fixed - the application was set to 'any' but the service was set to 'application-default.' Changing the latter to 'any' fixed the problem.

 

Thanks for your time on this, and I'm selecting your response as the answer as it describes the behavior we were seeing.

L6 Presenter

Ah yes... I have been bit by the any/application-default as well when I had a "deny all" rule with logging and yet some traffic was still making it to the intra/interzone-default rules (before I learned how to enable logging there). I should have thought of that initially.

  • 1 accepted solution
  • 2350 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!