This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Problem with Security Zones.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problem with Security Zones.

omarali53
L0 Member

‎09-14-2024 03:38 PM

Dear Members, 

I need some help regarding the Paloalto firewall. We are managing the firewalls using the Panorama. I am new in the environment. I have been told that the source subnet resides in the inside zone hence I added the source group in the inside zone configured it correctly. 

omarali53_0-1726352843740.png

In the firewalls logs I can see that the traffic has started hitting the rule (which looks good). But for some reasons the user is reporting that he can not access the service and says that he is getting the error that the port is not reachable but we can see that the traffic on port 443 is allowed. In he below we can see that the traffic is allowed and the source zone is inside (interface ae3.99). the picture is from panorama gui. 

omarali53_1-1726353054367.png

Just to make sure I logged into the CLI of the firewall and checked the routing table and zone of the source subnet. Here I am amazed to see that the CLI is showing a different source zone for the same IP address. here it is showing that the source interface is ae3.199 which is a different zone then inside. 

omarali53_2-1726353282724.png

The routing table also states that the traffic from the subnet 10.151.0.0/16 belongs to the different zone (other than Inside). 

omarali53_3-1726353419343.png

Now I am curious that the Panorama GUI is showing that the source IP 10.151.103.124 belongs to the Inside zone. But the CLI in firewall and routing table states that the same IP belongs to the different zone. Someone please help me how to rectify and resolve this issue? what could be the cause of this problem? 

 

 

0 Likes Likes
2 REPLIES 2

omarali53
L0 Member

‎09-16-2024 12:37 AM

someone please help me. 😞

0 Likes Likes

rmfalconer
L5 Sessionator

‎09-17-2024 04:20 PM

Looks like something is incorrect with your routing. The only route to 10.151.103.124 is through an interface in another zone, not through an interface on the inside zone.

Where is the route for the more specific network 10.151.103.124? Do you have some kind of asymmetric routing happening?

0 Likes Likes
  • 382 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks