Palo Alto Networks Knowledgebase: Why are Rules Denying Applications Allowing Some Packets?

Why are Rules Denying Applications Allowing Some Packets?

2451
Created On 09/25/18 20:36 PM - Last Updated 09/25/18 23:09 PM
Policy
Resolution

Symptoms

Sessions associated with an application-based deny rule show some packets transmitted/received.

Issue

When the Palo Alto Networks firewall rules are evaluated, the security policy is evaluated two times:

  1. Checking the packet against the rule set if the application was set to ANY
  2. Checking the packet against the rule set once the application has been identified

Because the application is not necessarily known in the first packets, it can take several packets to determine what the underlying application is. During this evaluation period, packets may be allowed through unless there is a rule which would deny the traffic irrespective of the application (such as denying a destination URL/IP, port number, user, etc.). When the application is determined, if a rule does not permit that application and other aspects of that session, that packet and future packets in that active session will be denied (dropped).

Resolution

This is expected behavior. The issue is caused by the firewall not relying on ports only, it determines the underlying application.

owner: gwesson



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliLCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language