This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

Rule matching: left-to-right question, unexpected output in traffic log

Shanef
L0 Member

‎06-02-2017 01:24 PM

On PA5050 running 7.1.5, in the monitor:traffic logs section,  traffic that matches interzone default rule shows up as matching the first rule in the list.  The first rule is configured like so:

source zone: any, source address: any, user: any, destination zone: any, destination address: any, application: I picked one that is not in-use e.g. 'docstoc-base'.  That is, the rule is configured to match on any source/dest/user and to match a specific application.

 

 

When I apply this rule, traffic flows as expected: firewall rules lower in the list are applied to allow desirable traffic, and undesireable traffic is denied by interzone-default rule at bottom.  

 

However, the traffic logs show traffic being dropped by that first rule instead of interzone-default. 

 

I opened a support case because I expected to see 'interzone-default' rule (it is set for log-at-session-end) in the log when traffic is blocked because it does not match an explicit allow rule higher up in the list.  I was told that this is expected behavior because traffic is matched 'left-to-right' and then 'top-to-bottom' (per this article: https://live.paloaltonetworks.com/t5/Management-Articles/quot-Not-applicable-quot-in-Traffic-Logs/ta...).  That is, app-id settings are not applied until after to/from/ zone/address is evaluated.  However, this doesn't make sense to me because if it were true:

 

  • You wouldn't be able to create a rule blocking an application without to/from zone/address criteria
  • If you did create an application blocking rule, your to/from zone/address criteria to the left of it would be evaluated first, and then the firewall wouldn't ever evaluate the application rule.
  • I should not be able to pass any traffic past rule 1 (it should block everything, by left-to-right logic mentioned above) because I have it configured for from:any to:any, but yet, I can pass traffic as expected and rules below rule 1 are evaluated as expected.

I feel like I must be misunderstanding something, can anyone educate me on this?

 

 

1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks