Zone protection profile blocking trusted traffic

Zone protection profile blocking trusted traffic

16164
Created On 04/26/21 15:30 PM - Last Modified 09/03/21 22:50 PM


Symptom


  • Traffic from specific IPs does not have access to the internet.
  • Other IPs and Users using the same security policy, NAT policy, subnet, and configuration are able to access the internet.
  • Access is allowed after some amount of time.
  • Viewing the global counter for the filtered packet shows the counter below increasing:
admin@PA-VM> show counter global filter packet-filter yes delta yes  => Note packet filter must be configured to match the traffic.
.......
flow_dos_drop_ip_blocked      2 0 drop flow dos Packets dropped: Flagged for blocking and under block duration by DoS or other modules
.......

 

Environment


  • Palo Alto Networks firewall
  • PAN-OS 8.1 and above.

Cause


  • The details of the message "The block table was triggered by DoS or other modules", indicate is the zone protection module.
  • This usually happens when on the zone protection profile you configure "Block-IP" for Reconnaissance protection (shown below), then the firewall will block that source IP for a configured duration of time.
Reconnaissance Protection

Resolution


 
  1.  Option 1: Remove the zone protection profile from the trust zone
zone protection profile under zone configuration
  1.  Option 2: Add source exclusion to the list of IP address
source address exclusion in the profile
  1.  Option 3: Reduce the block timer (GUI:Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection
    > Action > "Select Scan type" > Action > Duration (sec)    )  and increase the threshold as per your requirement.  
  2. After implementing any of the options, clear the dos block-table from CLI using the command below:
> debug dataplane reset dos block-table
  1.  Run the command below again to confirm the IP is not in the block list anymore
> debug dataplane show dos block-table


 

Additional Information


  • Zone Protection Recommendations
  • Configure Reconnaissance Protection
  • Note that zone protection is applied to the ingress interface. To protect against flood scans, it should be applied to the untrusted zone.
  • If you have applied zone protection profile on the trusted zone, confirm if the IP address is on the dos block-table from the CLI
> debug dataplane show dos block-table

entp:0x800000024792c828, bucket:100, entry:0
Key:
vsys_id:1, src_zone:1
ip:10.75.1.11, dst_ip:67.195.228.84
is_ipv6:0, is_src_dst_both:1

Value:
block_until:38557 (Unblock after:106 sec)



 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM1uCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language