RC RANDOM CHAOS

PAN-OS remembers the verdict, forgets the reasoning

Firewall rules, AD groups, and JWTs keep executing stored references long after the reality they described has drifted. The system revalidates nothing.

· 8 min read
PAN-OS remembers the verdict, forgets the reasoning

A firewall ruleset does exactly one thing. It evaluates traffic against an ordered list of statements and returns permit or deny on the first match. A Cisco ASA access list and a Palo Alto Networks PAN-OS security policy differ in syntax, and in the richness of what they can match, but they share the same essential property: the rule is a stored decision, not a stored reason. The device holds the outcome of a judgment. It does not hold the judgment.

That distinction is not a limitation bolted on at the edges. It is the design. A rule table is optimized to resolve traffic quickly and deterministically, which means it stores the answer so it never has to recompute it. When line 47 permits a /24 to reach a database segment, the device executes that line identically whether the reason behind it is understood, forgotten, or actively wrong. There is no field for rationale. There is no column for intent. The evaluation engine matches, it acts, and it moves on.

So the object that sits in production is a fixed reference. It encodes, with total fidelity, a set of decisions that were correct at the instant they were written. The reasoning that produced each of those decisions existed once and was never part of what the system retains. The system retains the result. This is true of a PAN-OS policy, it is true of an ASA access list, and it is true of nearly every configured control in an enterprise: the artifact is the decision, stripped of the context that made it a decision at all.

The assumption underneath every accreted configuration is that the stored state encodes understanding. That a rule, once written, stays legible: that whoever inherits the system can read line 47 and reconstruct why it exists. Trust in a configuration is trust that the artifact and its rationale remain coupled, and that the coupling is both persistent across time and transferable to whoever holds the system next. The config is treated, quietly and universally, as documentation of its own purpose.

Active Directory carries the identical load. A nested security group grants access, and the name of the group is assumed to describe the access it confers. The assumption is that the mapping between the group and the resource it was created to reach is stable, knowable, and recoverable by inspection. Membership is trusted because the structure is trusted, and the structure is trusted because it was, at some point, deliberate. Deliberateness at creation is silently promoted into meaning at every point thereafter.

What the trust model actually assumed was continuity of context. It assumed the environment that gave a rule its meaning would persist alongside the rule, or at minimum remain reachable when someone went looking. Persistence of understanding was treated as a property of the system, when it was only ever a property of the moment of authorship. Transferability was assumed rather than produced. Neither persistence nor transferability was ever enforced by anything the ASA, the PAN-OS policy, or the directory actually did. The coupling was assumed to hold because nothing in daily operation forced anyone to test whether it still did.

It did not start this way. At the moment a rule is written, the permit statement and the condition that justified it are coupled tightly: a specific host, a specific application, a specific need, all present and legible at once. The two exist together, and the assumption that the artifact carries its own meaning is, briefly, true. What changed was not the rule. The rule is byte-for-byte what it was. What changed was the validity of the assumption that the rule still means what it meant.

The topology moved. The application that justified the permit was decommissioned or migrated behind a load balancer. The /24 was re-assigned to a different function. The database segment was consolidated into another. None of this reached the ruleset, because a firewall does not ask whether the condition that justified a rule still holds. It inherits the rule from its last committed state and executes it, exactly, forever. Active Directory does not ask whether a group still maps to the resource it was named for. It inherits the membership, evaluates it, and grants. The system carries trust forward from a prior state without ever re-deriving whether that trust is still earned.

The mechanism never revalidated because it was never constructed to. The coupling between artifact and understanding lived outside the device and outside the directory, in a context that drifted continuously while the stored state held perfectly still. The reference stayed fixed. The reality it pointed at moved. The distance that opened between them is invisible to the system, because the system only ever sees the reference and never the thing referenced. That assumption, that a stored decision still describes a live condition, no longer holds. Nothing in the evaluation path is capable of noticing that it stopped holding.

The firewall does not fail at the moment traffic arrives. It succeeds. A packet reaches the ASA, its source, destination, and port are compared against the ordered list, line 47 matches, and permit is returned. Every step executes to specification. What the device confirmed is that the packet corresponds to the reference. What it did not confirm, because nothing in its evaluation path is built to, is whether the reference still corresponds to anything real. Validation of the traffic against the rule quietly replaced validation of the rule against reality. The first is cheap, deterministic, and continuous. The second was never part of the machine.

This is the substitution that matters, and it is the same substitution in every configured control. The system checks identity of source, not integrity of content. The ASA checks that a packet has the shape the rule describes. It does not check that the segment behind the permit still houses the thing the permit was written to reach. Active Directory confirms that a principal is a member of a group and that the group carries the access control entry, and it grants. It confirms membership. It does not confirm that membership still means what the group name claims. In both cases the reference resolves cleanly. The referent is never consulted, because the referent is not something the system holds.

Because both behaviors are the designed behaviors, there is no bypass, no anomaly, no signature to catch. A permit that still protects something live and a permit that protects nothing at all are byte-for-byte identical on the wire and in the log. The grant against a group that still maps to a real resource and the grant against a group whose resource was consolidated two migrations ago produce the same event, the same 4624, the same green in the console. Detection sees expected behavior, because the behavior is expected. If you cannot see the difference between a rule that still means something and a rule that means nothing, the rule that means nothing is invisible to you. It did not disappear. It moved into the gap between the reference and the referent, and the system never looks there.

The pattern underneath this is narrow enough to state in one line: execution based on reference, not verification. A system that stores a resolved decision and re-runs it will, by construction, re-run it whether or not the conditions that produced the decision still hold. Resolution happens once, at authorship, when context is present and the artifact and its reason are briefly coupled. Execution happens forever, on the artifact alone. The reason is not carried forward because the reason was never stored. What is stored is the answer, and the answer does not know the question anymore.

The same mechanism runs anywhere a system trusts a validated token in place of a current fact. A resource server presented a bearer token under RFC 7519 verifies the signature: proof that the token was issued by a trusted authority and not altered in transit. A valid signature establishes the identity of the source and the integrity of the claims at the instant of issuance. It establishes nothing about whether those claims are still true. If a subject’s entitlement is revoked 10 minutes into the life of a token minted with a 60 minute expiry, the server keeps honoring it for the remaining 50, because it validates the token against its signature, not the claim against the present state of the world. Identity of source stood in for integrity of content. It is the firewall line and the group membership again, wearing a different encoding: the reference verifies perfectly, and the thing it points at is never asked whether it still agrees.

The decay of understanding named in the title is this same mechanism observed from the outside, at the scale of an organization rather than a device. The coupling between the artifact and its reason was never a property the ASA, the directory, or the token service held. It lived in context, alongside the people and the diagrams and the tickets that briefly shadowed the configuration. The system was always executing on the reference alone. What thinned was the external thing that used to stand in for a revalidation path the machine never had. So the phrase is not a lament about losing the people who remember. It is a precise description of a system that never stored the reason, running exactly as it was built to run, long after anyone could reconstruct why.

A rule table resolves a decision once. It does not revalidate. It cannot, because it retained the outcome and discarded the condition.

The reference stays fixed with total fidelity. The reality it describes drifts continuously and silently, and the distance between them is the one quantity the system is structurally incapable of measuring.

The control exists. It permits, it grants, it verifies, exactly as specified. The outcome it was built to produce does not.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.