Traffic is not correctly matching rules with multiple FQDN objects

Traffic is not correctly matching rules with multiple FQDN objects

6933
Created On 11/23/21 08:53 AM - Last Modified 01/09/24 04:00 AM


Symptom


  • Security rule has two or more FQDNs configured as source/destination in the same rule.
  • These FQDNs resolve to same IP address.
  • Traffic is intermittently not matching correct rules.

Environment


  • Palo Alto Firewalls
  • PAN-OS 10.1 and 10.2
  • FQDNs

Cause


  • Due to software issue, when one of the FQDN is later resolved to a different IP (due to TTL expired), the IP resolved for another FQDN will be also changed.
  • This will cause the traffic with the original IP hits a wrong rule.

Resolution


  1. The issue is resolved under PAN-157215  in PANOS 10.2.3, 10.1.7
  2. Upgrade to the fixed code will resolve the issue
  3. As a workaround, create separate security rules for each individual FQDN that are resolving to same IPs.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MPCCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language