https://live.paloaltonetworks.com/t5/next-generation-firewall/post-os-upgrade-for-pa-5220-from-9-1-4-to-10-2-3-h4-users/m-p/540677#M1197 <P>Hi There,</P> <P>&nbsp;</P> <P>Recently, we upgraded the OS on our PA-5220 from 9.1.4 to 10.2.3-h4. Immediately after we upgraded to 10.2.3-h4 our helpdesk began receiving calls from users reporting that they cannot get logged into MS Office365 Applications, it'll never bring them to the MS prompt to input their Office365 email/password it'll just say "Can't reach this page."&nbsp;</P> <P>&nbsp;</P> <P>From monitoring the traffic on the firewall, it looks like when a PC in the trust zone is trying to reach out to the ADFS server in the DMZ zone the session is being reset on the server side.&nbsp;</P> <P>&nbsp;</P> <P>I'm not certain if maybe the U-Turn NAT rules we have in place to utilize our Microsoft Traffic Manager to route traffic to our ADFS servers got messed up after the OS upgrade on PA-5220. As a temporary work around, we had to update the DNS record to not utilize the Microsoft Traffic Manager alias and instead add the actual ADFS IP addresses and users are able to get to MS Office365 applications.&nbsp;</P> <P>&nbsp;</P> <P>I appreciate your support in advance.</P> <P>&nbsp;</P> <P>Thank You,</P> <P>Krystin&nbsp;</P> Mon, 01 May 2023 21:28:19 GMT Krystin 2023-05-01T21:28:19Z https://live.paloaltonetworks.com/t5/next-generation-firewall/post-os-upgrade-for-pa-5220-from-9-1-4-to-10-2-3-h4-users/m-p/540677#M1197 <P>Hi There,</P> <P>&nbsp;</P> <P>Recently, we upgraded the OS on our PA-5220 from 9.1.4 to 10.2.3-h4. Immediately after we upgraded to 10.2.3-h4 our helpdesk began receiving calls from users reporting that they cannot get logged into MS Office365 Applications, it'll never bring them to the MS prompt to input their Office365 email/password it'll just say "Can't reach this page."&nbsp;</P> <P>&nbsp;</P> <P>From monitoring the traffic on the firewall, it looks like when a PC in the trust zone is trying to reach out to the ADFS server in the DMZ zone the session is being reset on the server side.&nbsp;</P> <P>&nbsp;</P> <P>I'm not certain if maybe the U-Turn NAT rules we have in place to utilize our Microsoft Traffic Manager to route traffic to our ADFS servers got messed up after the OS upgrade on PA-5220. As a temporary work around, we had to update the DNS record to not utilize the Microsoft Traffic Manager alias and instead add the actual ADFS IP addresses and users are able to get to MS Office365 applications.&nbsp;</P> <P>&nbsp;</P> <P>I appreciate your support in advance.</P> <P>&nbsp;</P> <P>Thank You,</P> <P>Krystin&nbsp;</P> Mon, 01 May 2023 21:28:19 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/post-os-upgrade-for-pa-5220-from-9-1-4-to-10-2-3-h4-users/m-p/540677#M1197 Krystin 2023-05-01T21:28:19Z https://live.paloaltonetworks.com/t5/next-generation-firewall/post-os-upgrade-for-pa-5220-from-9-1-4-to-10-2-3-h4-users/m-p/541140#M1222 <P>Hello,</P> <P>Check the logs to see if there is any blocked traffic. The newer code has new features, etc. Also check out the external dynamic list that PAN has available for o365 since its IP's rotate a lot:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1683237846829.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49983i40228A78FFFC1CD2/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_0-1683237846829.png" alt="OtakarKlier_0-1683237846829.png" /></span></P> <P>&nbsp;</P> <P>Regards,</P> Thu, 04 May 2023 22:04:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/post-os-upgrade-for-pa-5220-from-9-1-4-to-10-2-3-h4-users/m-p/541140#M1222 OtakarKlier 2023-05-04T22:04:20Z