Traffic blocked with security policy action allow
14067
Created On 04/01/20 22:58 PM - Last Modified 06/02/20 03:56 AM
Symptom
- Traffic is blocked when there is a security policy matching to allow the traffic
- Security Policy configured as in the above picture
- Packet captures configured and global counters used to filter the data from the capture.
- These counters indicate failure due to "denied by Policy"
> show counter global filter packet-filter yes delta yes Global counters: Elapsed time since last sampling: 3.9 seconds name value rate severity category aspec description -------------------------------------------------------------------------------- flow_policy_deny 2 0 drop flow session Session setup: denied by policy
Environment
- PANOS 8.1.11
- PA-500
Cause
- Event though security policy shows that session should hit the traffic, traffic is still bypassing policy
- Run the security policy test, and no security policy matches the test
> test security-policy-match protocol 17 source 10.0.0.10 destination 172.16.98.89 destination-port 5900 from Global-Protect to Tunnel Firewall@test>
- Check the security policy from CLI
> show running security-policy "Global Protect to Tunnel; index: 2" { from Global-Protect; source any; source-region none; to Tunnel; destination 172.16.98.89; destination-region none; user any; category any; application/service 0:vnc-base/tcp/any/5900; action allow; icmp-unreachable: no terminal yes;
- As we can see above CLI security policy differs from WebGUI security policy.
- In CLI shows only allow traffic using application vnc-base and service TCP with destination port 5900
- Unlike, webGUI shows application "any" and service with "any"
Resolution
- Create another policy from scratch using the configuration from corrupted security policy, and check rule again in CLI
- Make sure policy in CLI matches with policy in WebGUI
> show running security-policy "Global Protect to Tunnel-TAC; index: 2" { from Global-Protect; source any; source-region none; to Tunnel; destination 172.16.98.89; destination-region none; user any; category any; application/service 0:any/any/any/any; action allow; icmp-unreachable: no terminal yes; }
Security Policy in WebGUI