06-17-2022 10:18 AM
We have a school tied to our organization that's using a PA-850 and is running 10.1.6, and we're trying to get Battle.net working. After considerable troubleshooting, I put in a rule at the very top to permit the "zESports" zone to get to any IP on any zone. See the eSport_to_all_rule image. For some reason, some packets completely bypass this rule and makes their way to the very last rule, which is the interzone-default. This rule resets both ends of the connection, and it's shown in the eSports_reset-both image below.
Most of the packets between the two hosts traverse just fine, but the resets come generally after a GET request. I'm not seeing the destination IP in any of the logs, outside of the Traffic log. Does anyone have an idea? Thanks
06-17-2022 11:09 AM
Not seeing the images, you put them on OneDrive or something... need to post them here.
By default, the intrazone-default and interzone-default rules do not log traffic. Select each from the Security rule list and then click the "Override" button in the bottom task bar and you can then enable logging on the rule. You may also want to enable both start and end logging for the defaults and your special rule. The 2 Traffic log entries may then tell you something about the traffic being identified initially under one rule and then being reclassified to a different rule later.
It is important to remember that the PA doesn't work on top-down processing like a traditional firewall, it works on most-specific-match processing. So if the detected category/application/etc. changes as the PA processes more and more packets in the stream, it may suddenly jump to a different Security rule.
06-17-2022 11:09 AM
Not seeing the images, you put them on OneDrive or something... need to post them here.
By default, the intrazone-default and interzone-default rules do not log traffic. Select each from the Security rule list and then click the "Override" button in the bottom task bar and you can then enable logging on the rule. You may also want to enable both start and end logging for the defaults and your special rule. The 2 Traffic log entries may then tell you something about the traffic being identified initially under one rule and then being reclassified to a different rule later.
It is important to remember that the PA doesn't work on top-down processing like a traditional firewall, it works on most-specific-match processing. So if the detected category/application/etc. changes as the PA processes more and more packets in the stream, it may suddenly jump to a different Security rule.
06-17-2022 11:55 AM
intrazone-default was configured to log traffic, so we do see it. We just got it fixed - the application was set to 'any' but the service was set to 'application-default.' Changing the latter to 'any' fixed the problem.
Thanks for your time on this, and I'm selecting your response as the answer as it describes the behavior we were seeing.
06-17-2022 01:50 PM
Ah yes... I have been bit by the any/application-default as well when I had a "deny all" rule with logging and yet some traffic was still making it to the intra/interzone-default rules (before I learned how to enable logging there). I should have thought of that initially.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
