Change in security policy actions from PAN-OS 7.0 & higher

This article discusses the change in behaviour from PAN-OS 7.0 and higher where the 'deny' action in the security policy results in the application-specific 'deny' action.

From PAN-OS 7.0 branch onwards, the 'deny' policy action is noted as per the default deny action for the application.
For example, the default deny action for application 'SSL' is 'drop-reset' and listed in the traffic logs as 'reset-both'.

For checking the default 'deny' action of an application, please refer to Applipedia or Objects > Application on the firewall GUI.

Below is an example showing the action 'Deny' for application 'SSL'  

 Note the 'Deny Action' for application SSL is 'drop-reset'

The action listed for a security policy with action 'deny' in the previous PANOS version 6.1 can be seen as 'deny' itself 

NOTE : The above change in behaviour for action 'deny' may result in the logs and reports capturing results with action as 'reset-both' and this is expected behaviour.

For more details on the change in security policy actions and options, please refer to:

Granular Actions for Blocking Traffic in Security Policy 

Configurable Deny Action

Applicable actions with all available options:

1. Action 'Deny'

2. Action 'Allow'

3. Action 'Drop'

4. Action 'Reset-client'

5. Action 'Reset-server'

5. Action 'Reset both client and server'