After PAN-OS upgrade to 11.1.5 or later, some s2c flows may not match the expected PBF rules

• In CLI "show session all" output the impacted sessions will be listed with application "undecided".

• In global counters <flow_fwd_zonechange> may increment:

• Session details may show incorrect PBF match or no PBF at all.

• Hit count on PBF rule will stop incrementing.
• Packet capture may show dropped packets.
• In traffic log the failing communication will show with application incomplete.

• Palo Alto Networks Firewalls
• PAN-OS 11.1.5 and above
• Policy Based Forwarding (PBF)

Software issue introduced in PAN-OS 11.1.5.

 

1. The issue is resolved in PAN-OS 11.1.8 under PAN-277751. 
2. Upgrade to 11.1.8 or higher will resolve the issue.
3. As a workaround till the upgrade is done, Update the service object used in the PBF rule with the source and destination ports matching the source and destination ports in s2c flow.

Note: For UDP the destination port will be set to ANY, while for TCP, the destination port range can be set to 1024-65535 or ANY.