Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Traffic blocked with security policy action allow - Knowledge Base - Palo Alto Networks

Traffic blocked with security policy action allow

14067
Created On 04/01/20 22:58 PM - Last Modified 06/02/20 03:56 AM


Symptom


  • Traffic is blocked when there is a security policy matching to allow the traffic 
User-added image
  • Security Policy configured as in the above picture
  • Packet captures configured and global counters used to filter the data from the capture.
  • These counters indicate failure due to "denied by Policy"
> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 3.9   seconds

name                                   value     rate severity  category  aspec  description
--------------------------------------------------------------------------------

flow_policy_deny                           2        0 drop      flow      session   Session setup: denied by policy


Environment


  • PANOS 8.1.11
  • PA-500


Cause


  • Event though security policy shows that session should hit the traffic, traffic is still bypassing policy
  • Run the security policy test, and no security policy matches the test
> test security-policy-match protocol 17 source 10.0.0.10 destination 172.16.98.89 destination-port 5900 from Global-Protect to Tunnel


Firewall@test>
  • Check the security policy from CLI
> show running security-policy

"Global Protect to Tunnel; index: 2" {
from Global-Protect;
source any;
source-region none;
to Tunnel;
destination 172.16.98.89;
destination-region none;
user any;
category any;
application/service 0:vnc-base/tcp/any/5900;
action allow;
icmp-unreachable: no
terminal yes;
  • As we can see above CLI security policy differs from WebGUI security policy.
  • In CLI shows only allow traffic using application vnc-base and service TCP with destination port 5900
  • Unlike, webGUI shows application "any" and service with "any"


Resolution


  1. Create another policy from scratch using the configuration from corrupted security policy, and check rule again in CLI
  2. Make sure policy in CLI matches with policy in WebGUI
Security Policy in CLI
> show running security-policy

"Global Protect to Tunnel-TAC; index: 2" {
from Global-Protect;
source any;
source-region none;
to Tunnel;
destination 172.16.98.89;
destination-region none;
user any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}

Security Policy in WebGUI

User-added image


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPPJCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail