I’ve been converting rules from port-based to App-ID and I came across something that made no sense.
I verified that rule App-ID rules was working correctly as expected. I saw the port-based rule had some hits and started to investigate if I made missed something.
When I searched on the port-based rule in Monitor, I saw traffic that didn’t match the security rule passing thru that rule. Zones, Sources, Destinations and Services don’t match, but traffic is being allowed according to Monitor.
I had 2 coworkers review this issue with me and we looked at everything. We’re kind of lost on this. We verified Source and Destination IPs in both rules. Verified the zones and services. Check the local firewall to see if there may be local rules.
PAN-OS is 9.0.9 on a PA-5260. Opened a TAC case with PAN.
I reviewed the logs again today. We see traffic passing on this rule for 6 seconds on Feb 11. Nothing before or after.
I think this may have been an open fail issue. During the same time, the firewall had a memory issue. I’m thinking a process may have restarted. I opened a TAC case with Palo Alto to see if we could verify this.
Have you tried running a packetcapture to see what it is? You can run a packet-diag flow basic to see how the session goes through the system and why it's hitting that rule