Implicit vs Explicit Security Policies
28880
Created On 08/25/20 22:17 PM - Last Modified 12/31/24 17:46 PM
Symptom
A firewall is configured with two security rules: the first rule allows 'twitter-base' while the second policy allows all web traffic but blocks 'social-networking' URL category via a URL filter. This means users will be able to access Twitter but not any other social networking sites:
Policies > Security:
In this environment, SSL forward proxy is enabled for the 'social-networking' URL category. The traffic logs indicate that initial traffic to Twitter matches the second rule (Block-Social) before switching to the first rule (allow-twitter) even though the first policy implicitly allows 'ssl' and 'web-browsing.'
Monitor > Traffic > detailed view (magnifying glass):
Environment
- All versions of PAN-OS
- Firewall configured with application-specific security policies
Cause
The traffic starts off as web-browsing (or SSL when not decrypting.) By default, the firewall will match the first traffic based on an explicit security policy (if present.) Otherwise, it will match on the implicit policy. To demonstrate: when the second rule is disabled, all traffic to Twitter is matched on the first rule.
Resolution
This is expected behavior. After the traffic is identified, the application shifts from 'web-browsing' to 'twitter-base' (in this illustration.) At that point, a new security lookup is triggered for the 'new' application.
Additional Information
Understanding this can be helpful in diagnosing issues related to URL filtering and application shifts within security policies.