About igobejishvili

I do have deny any configured exclusively in the end with logging enabled. Could this be something related to firewall being a VM version? Also PA VMs don't have an override option for their default rules.     ... View more

Bumping and old thread here, but is there any practical approach to this round-robin resolving discrepancy between host and firewall?   I have several FQDN-s to which internal host has to communicate to and facing exactly the same problem. IP address resolved by the client host differs from one present in firewall's cache at that time and security rule fails. I would configure all those load balanced IP addresses statically, but they get changed faster than the diapers on newborns 😞 ... View more

Thank you for your input.   I've added static routes and traffic flows correctly. Looks like once static route points to tunnel interface associated with policy based IPsec tunnel, then traffic correctly flows through appropriate proxy ID sub-tunnels based on destination prefix. ICMP is successful and packet encaps/decaps increase accordingly.   However my problem with failover still persists. If primary IPsec tunnel goes down, static routes are not withdrawn from routing table and traffic effectively gets blackholed. Since "outer" associated tunnel has no IP address, I'm unable to configure tunnel monitoring or path monitoring for static routes. There is no source IP address available to source ICMP from. ... View more

Thank you for the reply. That's exactly what I've ended up doing. MASQUERADE on the Linux server with its own IP for specific source networks (ingress via PBF) and then srcnat of that DMZ IP to Outside on PA. I can observe two sessions per flow, one to the server and another corresponding flow from the server. ... View more

I found what the problem was. It has to do with application IDs.   If you leave application to "any" and apply URL filtering profile with URL category, it only matches "web-browsing" and "ssl" app-ids for URL list regex. Anything else associated with that URL will be governed by predefined category containing it and get blocked. If you add the rest of app-ids exclusively (necessary for a webpage like wetransfer for example), then it will correctly allow traffic on that rule.   That's why when I was matching with "any" in application field, I could see hits on specific rule but also see blocking from generic rule. web-browsing and ssl were matched in specific rule, wetransfer-base etc., matched further down in generic. Seems like "any" doesn't really mean any in the world of PA...   Actually if URL requires only web-browsing and ssl app-ids it works even with URL category only, but there is a caveat. Rules with URL category only will ignore any other app-ids (even added exclusively) except web-browsing and ssl. Pretty convoluted I should say.     Thanks for helping me 🙂 ... View more