https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21731#M15882 <HTML><HEAD></HEAD><BODY><P>Hi all</P><P></P><P>I do already have an explicit deny all rule covering this zone, with logging enabled.</P></BODY></HTML> Wed, 22 May 2013 07:37:09 GMT BlackfenSchool 2013-05-22T07:37:09Z https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21727#M15878 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>At some point in the last month or so, I've managed to break downloads from both the Google Play store and Apple App store.&nbsp; But I don't know how. <img id="smileysad" class="emoticon emoticon-smileysad" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" /></P><P></P><P>I have enabled decryption, but have disabled all my decryption rules and it is still broken - So I assume it's not that.</P><P></P><P>I can't find any associated denied traffic in the traffic log, or in the URL filtering log.</P><P></P><P><IMG alt="PlayBroke.jpg" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/6597_PlayBroke.jpg" width="450" /></P><P>If anyone has any idea what I've done, it would be greatly appreciated.</P><P></P><P>Thanks</P><P></P><P>Shaun</P></BODY></HTML> Tue, 21 May 2013 07:38:01 GMT https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21727#M15878 BlackfenSchool 2013-05-21T07:38:01Z https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21728#M15879 <HTML><HEAD></HEAD><BODY><P>If you don't have an explicit deny rule at the end of your policies, you won't see anything that is implicitly denied. In other words, If you don't have something allowed that needs to be allowed, and you don't have a policy that alerts or blocks everything else, you won't see it in the log. There is also a document located here: <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4256">https://live.paloaltonetworks.com/docs/DOC-4256</A> that may be of use to you.</P></BODY></HTML> Tue, 21 May 2013 15:10:08 GMT https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21728#M15879 craymond 2013-05-21T15:10:08Z https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21729#M15880 <HTML><HEAD></HEAD><BODY><P>Also instead of a "Deny any to any" rule you might want to break your explicit deny rule up by Zone... otherwise you break intra-zone traffic if you have any (this is from experience.. we broke our Palo Alto providing DHCP by having a 'deny any' at the bottom of our rule base)</P></BODY></HTML> Tue, 21 May 2013 15:32:32 GMT https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21729#M15880 ericgearhart 2013-05-21T15:32:32Z https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21730#M15881 <HTML><HEAD></HEAD><BODY><P>I should have been more explicit! - As egearhart said, you definitely should not use a deny any any rule.</P></BODY></HTML> Tue, 21 May 2013 17:28:57 GMT https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21730#M15881 craymond 2013-05-21T17:28:57Z https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21731#M15882 <HTML><HEAD></HEAD><BODY><P>Hi all</P><P></P><P>I do already have an explicit deny all rule covering this zone, with logging enabled.</P></BODY></HTML> Wed, 22 May 2013 07:37:09 GMT https://live.paloaltonetworks.com/t5/general-topics/have-managed-to-break-google-play-and-apple-app-store-downloads/m-p/21731#M15882 BlackfenSchool 2013-05-22T07:37:09Z