Palo Alto Networks Knowledgebase: What is a Shadow Rule?

What is a Shadow Rule?

13819
Created On 02/07/19 23:56 PM - Last Updated 02/07/19 23:56 PM
Policy
Resolution

When committing a configuration, a warning may appear that one rule "shadows" another rule.

Rule 'rule1' shadows 'rule2'

Configuration committed successfully

A shadow rule warning generally indicates a more broad rule matching the criteria is configured above a more specific rule.

See this example:

1.png

No traffic will ever match the second rule, which specifically allows web-browsing, because all applications have already been allowed by the first rule.

The shadow rule can also appear if there are unresolved FQDNs. If FQDN objects are configured make sure they are resolved from CLI by using this command:

>request system fqdn show

See Also

Unresolved FQDNs in Security Policy Result in Shadow Policy Warning During Commit

owner: ukhapre



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVXCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language