I recently faced a case where traffic was getting dropped, even though the security policy was already present in Panorama.
At first glance, everything looked correct.
The rule was there. Commit was successful. ✅
But on the firewall, traffic was still hitting interzone-default. ❌
After digging deeper, the real issue turned out to be simple:
The policy was created in the wrong device group. 🎯
Since the firewall belonged to a different device group, the rule never actually got pushed to the firewall — even though it existed in Panorama.
So from Panorama:
Rule exists ✔️
But on the firewall:
Rule doesn’t exist ❌
This is what makes it dangerous:
No errors, no warnings, no failed commits. ⚠️
Yet production traffic is still dropped.
Lesson learned:
In Panorama, always check the device group context before creating or modifying rules. In centralized management, where you configure is just as important as what you configure.
Sometimes the problem is not the policy —
it’s the context. 🧠
No comments:
Post a Comment