https://live.paloaltonetworks.com/t5/general-topics/allow-only-global-protect-from-trust-to-untrust/m-p/591311#M117753 <P>Hi, thank you for replying to my post. So, I checked in the monitoring log and found that there's an MS Office application that needs to be allowed for login. I've already restricted it so that only the Global Protect application is permitted.</P> Sun, 07 Jul 2024 12:29:31 GMT ariiero 2024-07-07T12:29:31Z https://live.paloaltonetworks.com/t5/general-topics/allow-only-global-protect-from-trust-to-untrust/m-p/589815#M117533 <DIV class="flex flex-grow flex-col max-w-full"> <DIV class="min-h-[20px] text-message flex flex-col items-start whitespace-pre-wrap break-words [.text-message+&amp;]:mt-5 juice:w-full juice:items-end overflow-x-auto gap-2" dir="auto" data-message-author-role="assistant" data-message-id="746c466d-b931-4236-9a07-5e3d8a9fcd87"> <DIV class="flex w-full flex-col gap-1 juice:empty:hidden juice:first:pt-[3px]"> <DIV class="markdown prose w-full break-words dark:prose-invert light"> <P>Hi Everyone Greeting.</P> <P>&nbsp;</P> <P>I need to allow only the GlobalProtect application from the trust to the untrust zone, by allowing:</P> <OL> <LI>&nbsp;First security policies : source trust -&gt; destination untrust -&gt; Application DNS -&gt; Allow</LI> <LI>Second security policies : source trust -&gt; destination untrust -&gt; The Paloalto-shared-services application, by opening TCP port 443 and UDP port 4501</LI> </OL> <P>However, it sometimes works and sometimes does not. Can someone help me?</P> <P>&nbsp;</P> <P>Thank you,</P> <P>Arie</P> </DIV> </DIV> </DIV> </DIV> Tue, 18 Jun 2024 14:30:25 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-only-global-protect-from-trust-to-untrust/m-p/589815#M117533 ariiero 2024-06-18T14:30:25Z https://live.paloaltonetworks.com/t5/general-topics/allow-only-global-protect-from-trust-to-untrust/m-p/590012#M117566 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/376740489">@ariiero</a>&nbsp;,</P> <P>&nbsp;</P> <P>Your security policies look pretty standard. The first place I would check is the monitor tab and view the traffic logs for the various connections going through your policy 1 and policy 2 (traffic being allowed? bytes sent and bytes returned? session end reason, application registering? etc.)&nbsp;</P> <P>I would also compare the advanced details logs of the connections that work and the connections that aren't working.&nbsp;</P> Thu, 20 Jun 2024 17:12:28 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-only-global-protect-from-trust-to-untrust/m-p/590012#M117566 JayGolf 2024-06-20T17:12:28Z https://live.paloaltonetworks.com/t5/general-topics/allow-only-global-protect-from-trust-to-untrust/m-p/591311#M117753 <P>Hi, thank you for replying to my post. So, I checked in the monitoring log and found that there's an MS Office application that needs to be allowed for login. I've already restricted it so that only the Global Protect application is permitted.</P> Sun, 07 Jul 2024 12:29:31 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-only-global-protect-from-trust-to-untrust/m-p/591311#M117753 ariiero 2024-07-07T12:29:31Z