How to mitigate an abnormal increase in "flow_policy_deny" global counter
11670
Created On 07/26/23 16:00 PM - Last Modified 11/03/23 19:44 PM
Objective
To mitigate an abnormal increase in flow_policy_deny global counter.
Counter's description:
This counter flow_policy_deny increments when the session setup for a traffic is denied by a security policy.
Environment
- Next Generation Firewall
- DP packet drop
- flow_policy_deny
Procedure
- Identify the source of the traffic experiencing an increase in its session being denied:
- Check the traffic logs: Monitor > Logs > Traffic and use the search filter ( action eq deny).
- In case your search comes up empty that means that you most likely need to enable the logging on the security policy that is denying the traffic. This security policy can possibly be the interzone-default that you need to override to enable the Log at Session End and/or Start.
- Check the ACC tab: ACC and use the action deny filter.
- Check the traffic logs: Monitor > Logs > Traffic and use the search filter ( action eq deny).
- If the traffic is denied at slow path stage meaning before the identification of the traffic's application by the firewall then refer to How to mitigate High DP CPU issue due to an increase in flow of traffic denied at slowpath stage by a security policy.
- If the traffic is denied at fast path stage and after the identification of the traffic's application by the firewall then:
- Check if the firewall is not correctly identifying the traffic application:
- If application is not correctly identified then:
- Ensure that the firewall has the latest content/application version. Refer to install content update for more details.
- If the content/application version is the latest then if the application was previously identified and stopped getting identified after the upgrade to the latest content/application then reach out to Palo Alto Networks support to report this issue and get it fixed.
- If the application unidentified is an application that not part of the currently identified applications by Palo Alto Networks then refer to How to Request a new App-ID in order to add that application signature to Palo Alto Networks applications database that can be checked in Applipedia.
- If the application is correctly identified but its name has changed then check "See the New and Modified App-IDs in a Content Release" to know how to change your firewall configuration to accommodate that change.
- If the traffic that is being denied is a trusted traffic that should be allowed and has a trusted application then if needed consider the configuration of an application override policy that will allow this traffic (Note that app-override disables all security inspection).
- If application is not correctly identified then:
- Check if the firewall is not correctly identifying the traffic application:
- Other reasons than a misidentified traffic application can be behind the traffic hitting the wrong rule and thus getting wrongly denied, those reasons can be but not limited to: wrong routing configuration, wrong prioritization of the security rules, wrong configuration of NAT policy applied to the traffic, etc... to be able to identify those reasons you can search the active discarded sessions:
show session all filter type flow state discard
identify the session id of the traffic which has a high amount of denied sessions/packets then print the session details:show session id <session-id>
If further help is needed to identify the reason why a traffic is hitting the wrong security policy contact support.