Traffic unexpectedly matching a port-based rule below a cloned application-based rule
2910
Created On 01/15/24 16:37 PM - Last Modified 08/15/24 19:16 PM
Symptom
- The hit count of the port-based rule keeps increasing.
- No other applications are seen under Apps Seen on the port-based rule.
- No traffic logs at the session end are seen matching the port-based rule.
Environment
- Any Palo Alto Networks Firewall
- Any PAN-OS version
- Two security policies configured for the same traffic:
- The first rule is port based with any application.
- The second rule is based on applications (APP-ID) with default/any ports. This rule is placed above the port based rule.
- The application configured in the application-based rule has implicitly allowed applications.
Cause
The firewall initially identifies the application as one of the implicitly allowed applications and the policy lookup matches the port based rule as it is explicitly defined and has precedence over the application based rule, despite being further down in the rulebase.
After the traffic is identified, the application shifts to the application defined in the application-based rule and a new security lookup is triggered matching the application based rule.
Traffic logs matching the port based rule for the implicit application can be seen if the "Log at Session Start" option is enabled for this rule.
Resolution
The implicit applications can be explicitly added to the application based policy rule before disabling/removing the port based rule to ensure no traffic matches the port based rule anymore.
If the hit counter for the port based rule stops incrementing then it can be safely disabled/removed as the traffic will match the application based rule.
Additional Information
For more information on implicit and explicit security policy rules, check this article.