Packet Deny even if there is an allow rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Packet Deny even if there is an allow rule

L0 Member

Hello,

 

we're encountred an issue with SAAS service, we created a security rule 

 

jguffroy_0-1640167686948.png

 

but randomly we had issue during connection into the application, after packet capture, I saw a lot of tcp retransmission and client reset

 

jguffroy_1-1640167824901.png

When I checked the panorama logs I saw that the rule is not matched and flow is denied but I dont understand why because the security rule should be enough permissive.

 

jguffroy_2-1640167920421.png

Did you already encountred this issue ?

 

thank you for your feedback

 

 

 

Julien GUFFROY
3 REPLIES 3

Cyber Elite
Cyber Elite

Thank you for the post @jguffroy

 

Based on screen shot you supplied it is not clear what the root cause is. Would it be possible to navigate in the log to very left side and click on magnifying glass, get session ID from denied and allowed log, then navigate to Firewall's CLI and check/compare details of each session?

 

show session id <session id>

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@jguffroy 

 

If you have FQDN as destination address then that can be issue if IP changes on the url and PA it is not refreshed.

Default FQDN timer is 30 mins.

 

You can click on Destination address under address and then click on FQDN to see which IP it resolves and compare it with the

deny rule.

 

You can also refresh the fqdn so it learns the new ip of the fqdn

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@jguffroy 

Also check this url

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
  • 2621 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!