Unresolved FQDNs in Security Policy Result in Shadow Policy Warning During Commit

Symptom

If the Palo Alto Networks firewall is not able to resolve FQDN entries in a security policy while performing a commit, a message appears stating that a rule is being shadowed by another rule.

Cause

The symptom above arises when FQDNs in multiple policies are invalid or the DNS server is unreachable or non-responsive. The commit succeeds, but an unresolved FQDN in a security policy produces the message indicating that a rule will not be matched due to being shadowed by another rule.

For example:

The following security policies are implemented from trust zone to untrust zone, and use FQDNs (not-exist.com and not-exst2.net) that are invalid:

• test1-not-exist-dst : source any / destination FQDN: not-exist.com  / application any
• test1-not-exist-dst2 : source any / destination FQDN: not-exist2.net  / application any

Show the job details for the commit operation:

> show jobs id 1

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------

2013/09/09 14:17:21 1 AutoCom FIN OK 14:19:03

Warnings:

Details:VSYS1

  Security Policy:

  - Rule 'test1-not-exist-dst' shadows rule 'test1-not-exist-dst2'

(Module: device)

Configuration committed successfully

Successfully committed last configuration

Show the current status of FQDN entry:

> request system fqdn show

FQDN Table : Last Request time Mon Sep 9 14:06:08 2013

--------------------------------------------------------------------------------

  IP Address Remaining TTL Secs Since Refreshed

--------------------------------------------------------------------------------

VSYS : vsys1

not-exist.com  (Objectname not-exist.com):

                    Not resolved

not-exist2.net  (Objectname not-exist2.net):

                    Not resolved

owner: yogihara