Hi, thanks for the upload. It does not make sense if traffic is steady from known IPs to known ports.There is no AppID in the rule nor userID... What I would do now is get to the CLI and check the packet flow, read out the log of the packet flow and figure out where it goes wrong. Here is the link onto the detailed explanation how to do packet flow captures: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390 Here is the list of commands for your first IP address in the destination list (change accordingly) debug dataplane packet-diag clear all debug dataplane packet-diag set filter match source 194.239.152.126 destination 136.176.237.146 debug dataplane packet-diag set filter match destination 194.239.152.126 source 136.176.237.146 debug dataplane packet-diag set log feature flow basic That so far set up your filters and debug collection. I would not set for ports because there might be a port change or something along the way, let's capture everything between hosts. Check if setup is fine by issuing debug dataplane packet-diag show settings if all ip addresses are ok, get everything ready to initiate connection and than: turn on filters, logging and captures by issuing debug dataplane packet-diag set filter on debug dataplane packet-diag set log on Initiate the problematic connection (or reset it by killing the session, if you are troubleshooting when it appeared) and wait for it to fail, once it fails stop collection of information debug dataplane packet-diag set filter off debug dataplane packet-diag set log off Wait for two minutes, and do debug dataplane packet-diag aggregate-logs less dp-log pan_packet_diag.log search for first initiating packet (normal "less" behavior as in any linux) and follow the flow as it went through the firewall, from ingress to slowpath to fastpath and forward - you will see all the details and will be able to read out what happened to it. If firewall has several dataplanes, than it will be less dp0-log or dp1-log or other dp, but any session will always initiate in dp0 and while it might be moved to other dataplanes if they exist, depending on their load, it will also say so in the logs from dp0. If reading the file becomes too complicated, create tech support file, download it, unzip it, find the log in question and paste anonymously to some pastebin so I can read it? I am not bad at reading those flows. If reading my instructions becomes too complicated, ... sorry 🙂 ask for clarification, rather than guessing. DON'T forget to stop logging (do "show setting" to see if you disabled it) and don't do this without TAC assistance if you are unsure of health of the firewall (too busy or critical, etc.)... you can always blame them if it goes wrong 🙂 Otherwise, I am not sure what to tell you, I am thinking your traffic is having some issues, I have never seen such "straight-forward" rule fail.. sounds really strange that anything would miss such a simple rule, right? Let me know of the results, I am intrigued now. Regards
... View more