When Wildcard Objects are used, the traffic does not match the correct policy.

4516

Created On 10/16/23 05:29 AM - Last Modified 10/14/24 20:53 PM

Address Objects

Policy

PAN-OS

Next-Generation Firewall

Symptom

The traffic is not taking the expected rule with wildcard object.

Given the configuration below:

Wildcard Objects
Object Name	Address	Meaning	Example of expected matches
wildcard-10.128.0.1-0.127.0.0	10.128.0.1/0.127.0.0	Match 10.128-255.0.1	10.128.0.1 10.129.0.1 10.164.0.1 10.255.0.1
wildcard-10.128.0.1-0.127.255.0	10.128.0.1/0.127.255.0	Match 10.128-255.0-255.1	10.128.0.1 10.128.192.1 10.164.128.1 10.255.255.1
wildcard-10.128.0.1-0.15.255.0	10.128.0.1/0.15.255.0	Match 10.128-143.0-255.1	10.128.0.1 10.129.255.1 10.143.0.1

Security Rule Base
Rule Base	Source Object
Rule A	wildcard-10.128.0.1-0.127.0.0
Rule B	wildcard-10.128.0.1-0.127.255.0
Rule C	wildcard-10.128.0.1-0.15.255.0

Traffic from 10.128.0.1 match the 3 wildcard objects, however, it is being processed by the rule C.

admin@NGFW> test security-policy-match from Trust to Untrust source 10.128.0.1 destination 8.8.8.8 destination-port 80 protocol 6

"Rule C; index: 3" {
        from any;
        source none;
        source-region none;
        to any;
        destination any;
        destination-region none;
        user any;
        source-device any;
        destination-device any;
        category any;
        application/service 0:any/any/any/app-default;
        action allow;
        icmp-unreachable: no
        terminal yes;
}

Environment

Palo Alto Firewalls
Supported PAN-OS
Wildcard object

Cause

In case of overlapping wildcard objects, the address is matched against the longest prefix wildcard mask (see additional information).
In this example,
- For the IP address 10.128.0.1.
- The leaf matched is 10.128.0.1/12 (/12 is longer than /9).
- Then the IP address is matched against wildcard-10.128.0.1-0.15.255.0 which is used in Rule C.

Resolution

Shift the rules in correct order to get the intended results
See the calculation for the above example below
1. For the above example Review the wildcard objects so the prefix length match is neutralized (step1).

For the IP address 10.128.0.1.
Because 10.128.0.1 matched the leaf 10.128.0.1/12, the other wildcard objects need to be edited to result in /12 prefixes.

The object wildcard-10.128.0.1-0.127.0.0 - 10.128.0.1/0.127.0.0 needs to be decomposed in the wildcard as below.

10.128.0.1/0.15.0.0
10.144.0.1/0.15.0.0
10.160.0.1/0.15.0.0
10.176.0.1/0.15.0.0
10.192.0.1/0.15.0.0
10.208.0.1/0.15.0.0
10.224.0.1/0.15.0.0
10.240.0.1/0.15.0.0

Updated Wildcard Objects
Object Name	Address
wildcard-10.128.0.1-0.127.0.0	10.128.0.1/0.127.0.0
wildcard-10.128.0.1-0.127.255.0	10.128.0.1/0.127.255.0
wildcard-10.128.0.1-0.15.255.0	10.128.0.1/0.15.255.0
new-10.128.0.1-0.15.0.0	10.128.0.1/0.15.255.0
new-10.144.0.1-0.15.0.0	10.144.0.1/0.15.255.0
new-10.160.0.1-0.15.0.0	10.160.0.1/0.15.255.0
new-10.176.0.1-0.15.0.0	10.176.0.1/0.15.255.0
new-10.192.0.1-0.15.0.0	10.192.0.1/0.15.255.0
new-10.208.0.1-0.15.0.0	10.208.0.1/0.15.255.0
new-10.224.0.1-0.15.0.0	10.224.0.1/0.15.255.0
new-10.240.0.1-0.15.0.0	10.240.0.1/0.15.255.0

Updated Security Rule Base
Rule Base	Source Object
Rule A	wildcard-10.128.0.1-0.127.0.0 new-10.128.0.1-0.15.0.0 new-10.144.0.1-0.15.0.0 new-10.160.0.1-0.15.0.0 new-10.176.0.1-0.15.0.0 new-10.192.0.1-0.15.0.0 new-10.208.0.1-0.15.0.0 new-10.224.0.1-0.15.0.0 new-10.240.0.1-0.15.0.0
Rule B	wildcard-10.128.0.1-0.127.255.0
Rule C	wildcard-10.128.0.1-0.15.255.0

After the change, the rule is matched as expected

admin@NGFW> test security-policy-match from Trust to Untrust source 10.128.0.1 destination 8.8.8.8 destination-port 80 protocol 6

"Rule A; index: 1" {
        from any;
        source none;
        source-region none;
        to any;
        destination any;
        destination-region none;
        user any;
        source-device any;
        destination-device any;
        category any;
        application/service 0:any/any/any/app-default;
        action allow;
        icmp-unreachable: no
        terminal yes;
}

Additional Information

The wildcard objects are stored in a tree data structure.
Each leaf of the tree is prefix associated with the matching wildcard object(s).

wildcard-10.128.0.1-0.127.0.0 - 10.128.0.1/0.127.0.0
0.127.0.0 (0000 0000.0111 1111.0.0) gives a /9 (9 bits to 0 before the first bit to 1)
The leaf will be: 10.128.0.1/9

wildcard-10.128.0.1-0.127.255.0 - 10.128.0.1/0.127.255.0
0.127.255.0 (0000 0000.0111 1111.255.0) gives a /9 (9 bits to 0 before the first bit to 1)
The leaf will be: 10.128.0.1/9

wildcard-10.128.0.1-0.15.255.0 - 10.128.0.1/0.15.255.0
0.15.0.0 (0000 0000.0000 1111.255.0) gives a /9 (9 bits to 0 before the first bit to 1)
The leaf will be: 10.128.0.1/12

Data Structure
Leaf	Associated Wildcard Objects
10.128.0.1/9	wildcard-10.128.0.1-0.127.0.0 wildcard-10.128.0.1-0.127.255.0
10.128.0.1/12	wildcard-10.128.0.1-0.15.255.0

The wildcard object match is made in 2 steps:

Prefix length match
In this stage, for a given address, the system will search for the longest prefix match on the Data Structure to get the list of wildcard objects.
Associated wildcard object match
In this stage, for a given address, the system will check the match with the associated wildcard objects.