I’ve been converting rules from port-based to App-ID and I came across something that made no sense.
I verified that rule App-ID rules was working correctly as expected. I saw the port-based rule had some hits and started to investigate if I made missed something.
When I searched on the port-based rule in Monitor, I saw traffic that didn’t match the security rule passing thru that rule. Zones, Sources, Destinations and Services don’t match, but traffic is being allowed according to Monitor.
I had 2 coworkers review this issue with me and we looked at everything. We’re kind of lost on this. We verified Source and Destination IPs in both rules. Verified the zones and services. Check the local firewall to see if there may be local rules.
PAN-OS is 9.0.9 on a PA-5260. Opened a TAC case with PAN.