Why are Rules Denying Applications Allowing Some Packets?
Sessions associated with an application-based deny rule show some packets transmitted/received.
When the Palo Alto Networks firewall rules are evaluated, the security policy is evaluated two times:
- Checking the packet against the rule set if the application was set to ANY
- Checking the packet against the rule set once the application has been identified
Because the application is not necessarily known in the first packets, it can take several packets to determine what the underlying application is. During this evaluation period, packets may be allowed through unless there is a rule which would deny the traffic irrespective of the application (such as denying a destination URL/IP, port number, user, etc.). When the application is determined, if a rule does not permit that application and other aspects of that session, that packet and future packets in that active session will be denied (dropped).
This is expected behavior. The issue is caused by the firewall not relying on ports only, it determines the underlying application.