Palo Alto Networks Knowledgebase: What is a Shadow Rule?

What is a Shadow Rule?

Created On 09/25/18 19:20 PM - Last Updated 02/07/19 23:56 PM

When committing a configuration, a warning may appear that one rule "shadows" another rule.

Rule 'rule1' shadows 'rule2'

Configuration committed successfully

A shadow rule warning generally indicates a more broad rule matching the criteria is configured above a more specific rule.

See this example:


No traffic will ever match the second rule, which specifically allows web-browsing, because all applications have already been allowed by the first rule.

The shadow rule can also appear if there are unresolved FQDNs. If FQDN objects are configured make sure they are resolved from CLI by using this command:

>request system fqdn show

See Also

Unresolved FQDNs in Security Policy Result in Shadow Policy Warning During Commit

owner: ukhapre

  • Print
  • Copy Link

Choose Language