Traffic not matching Security Policy with Predefined Region used in Address
14776
Created On 07/23/19 22:30 PM - Last Modified 04/20/24 02:19 AM
Symptom
- Security Policy configured with 'US' Region in Source Address
- Traffic from JP (Japan) Region hitting Security Policy rule that does not have JP listed in Destination Region as seen in "test security-policy-match" below (IP from JP (Japan) hitting Rule with Region not listed)
> show location ip 60.32.151.210 61.122.112.1 Japan > test security-policy-match source 192.168.1.1 destination 60.32.151.210 protocol 17 destination-port 53 from trust to untrust application dns show-all yes "Trust-Untrust-12; index: 17" { from trust; source any; source-region none; to untrust; destination any; destination-region [ AZ BZ CN KP LU NL NO PL RU UA ]; user any; category any; application/service 0:any/any/any/any; action deny; icmp-unreachable: no terminal no; }
Environment
- PAN-OS 8.1 and above
- Palo Alto Firewall
- Security Policy configured to allow traffic based on Source/Destination Region
Example: With US (United States) Region listed in Source Address
Cause
Customer created Custom Address Object "0.0.0.0" that is used internally. Internally there is an object named 0.0.0.0 with a prefix set to 0.0.0.0/32 used in the Security Policies for Regions. The newly created object with name "0.0.0.0" with the prefix set to 0.0.0.0/0 effectively redefined the internal object as "any".
Resolution
Delete or Rename the Address Object name "0.0.0.0" from the configuration.
- From GUI: Objects>Addresses
- Edit or Delete Object named "0.0.0.0"
- Commit the changes.