Unresolved FQDNs in Security Policy Result in Shadow Policy Warning During Commit
Resolution
Symptom
If the Palo Alto Networks firewall is not able to resolve FQDN entries in a security policy while performing a commit, a message appears stating that a rule is being shadowed by another rule.
Cause
The symptom above arises when FQDNs in multiple policies are invalid or the DNS server is unreachable or non-responsive. The commit succeeds, but an unresolved FQDN in a security policy produces the message indicating that a rule will not be matched due to being shadowed by another rule.
For example:
The following security policies are implemented from trust zone to untrust zone, and use FQDNs (not-exist.com and not-exst2.net) that are invalid:
- test1-not-exist-dst : source any / destination FQDN: not-exist.com / application any
- test1-not-exist-dst2 : source any / destination FQDN: not-exist2.net / application any
Show the job details for the commit operation:
> show jobs id 1
Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2013/09/09 14:17:21 1 AutoCom FIN OK 14:19:03
Warnings:
Details:VSYS1
Security Policy:
- Rule 'test1-not-exist-dst' shadows rule 'test1-not-exist-dst2'
(Module: device)
Configuration committed successfully
Successfully committed last configuration
Show the current status of FQDN entry:
> request system fqdn show
FQDN Table : Last Request time Mon Sep 9 14:06:08 2013
--------------------------------------------------------------------------------
IP Address Remaining TTL Secs Since Refreshed
--------------------------------------------------------------------------------
VSYS : vsys1
not-exist.com (Objectname not-exist.com):
Not resolved
not-exist2.net (Objectname not-exist2.net):
Not resolved
owner: yogihara