Action Configured in Security Rules and Seen in Traffic Log is Inconsistent

Action Configured in Security Rules and Seen in Traffic Log is Inconsistent

Created On 09/26/18 13:49 PM - Last Modified 02/07/19 23:45 PM



In some situations there can be a traffic log entry for a session, where the application is recognized as insufficient data, logged as "allow" while matching a drop rule.

For example:

Take FTP traffic from a zone "replay_eth2" to a zone "replay_eth3".

This FTP traffic will be incomplete; a RST packet will be sent by the client at the beginning of command session (dport 21).

This incomplete FTP transaction will allow the session to be recognized as insufficient-data.

The decoder attached to the FTP application did not receive enough data to achieve compliancy checks and validate the FTP application.

Note: FTP is not mandatory, it can happen for all applications with a decoder.

The security rulebase on the Palo Alto Networks firewall is shown in the example below:


In security rulebase, it is important to have the following:

  • One rule denying traffic for 'any' application
  • One rule above allowing traffic for a specific application
    • Flow tuples (sip, szone, dip, dzone) for FTP traffic will have to match this rule. It will allow App-ID to kick in.
    • If there is no such rule, traffic will be dropped before App-ID starts

Under these conditions, if FTP traffic is generated from zone "replay_eth2" to zone "replay_eth3", this will be blocked with the following log entry:



This behavior can be explained as the following:

  • In that very specific scenario, Palo Alto Networks firewall does not have all the information needed to take final action configured in "Deny All" rule (Deny)
  • The final action is taken once the application decoder will have validated the application (running some compliancy test against transaction)
  • The final rule match and action will be deferred after this validation

When the RST packet is received, the session ends with these states:

  • Insufficient-data
    FTP session is incomplete and not validated
  • Matching "Deny All" rule with "allow" action
    Action was temporarily set to "allow" for App-ID to be achieved (within 4 data packets or 2000 bytes of payload), and the "Deny All" rule was the best potential match.

owner: nbilly

  • Print
  • Copy Link

Choose Language