Rules that use EDL stops matching after commit is done

Rules that use EDL stops matching after commit is done

4776
Created On 08/17/19 03:01 AM - Last Modified 06/08/20 03:38 AM


Symptom


Rules using EDL objects display addresses as 0.0.0.0 instead of the actual value. This forces traffic to match deny or wrong rule.
 

Environment


  • PAN-OS version 8.0.15 and below 
  • PAN-OS version 8.1.6 and below.
  • EDL (External Dynamic List) configured.

Cause


During commit or FQDN refresh, EDL objects resolution fails. This causes 0.0.0.0 address to be written in the configuration instead of the actual configured EDL values. Due to this issue, traffic fails to match the correct policy after commit.

> show running security-policy | match 0.0.0.0
{
from [ "Trust-L3" "Untrust-L3" ];
source any;
source-region none;
to "Untrust-L3";
destination [ 0.0.0.0 0.0.0.0 ];    <<<<< Destination is all 0.0.0.0 instead of the correct EDL object value
destination-region none;
user any;
category any;
application/service [0:any/tcp/any/80 1:any/tcp/any/443 2:any/tcp/any/587 3:any/tcp/any/993 ];
action allow;
icmp-unreachable: no
terminal yes;
}

Resolution


The resolution is to upgrade the OS version to 8.0.16, 8.1.6-h3, 8.1.7, 9.0.0 and above.

OR

As a workaround, after every commit run "request system fqdn refresh force <yes>".
 

Additional Information






 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PMc0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail