https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24557#M17906 <HTML><HEAD></HEAD><BODY><P>Initially you only need to alow SSL and IPSEC from untrust to untrust.&nbsp; What is the zone for your tunnel interface? If it is something other than untrus or trus you will need to create rules that allow from the untrust to the VPN-Zone and VPN-Zone to trust.&nbsp; Use the CLI commands to see which rule is dropping your traffic.</P><P></P><P>show session all filter source &lt;ip_of_test_pc&gt;</P><P></P><P>This should show you at least one session, app = ssl, and some ID number.</P><P></P><P>Then look at the ID.</P><P></P><P>Show session id xxxxx</P><P></P><P>This will show you the ingress and egress&nbsp; interfaces and the security rule that allowed or dropped the packets.</P><P></P><P>If this is not enough then you will need to open a support ticket.</P><P></P><P>Steve Krall</P></BODY></HTML> Wed, 02 Mar 2011 08:24:16 GMT skrall 2011-03-02T08:24:16Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24556#M17905 <HTML><HEAD></HEAD><BODY><P>Hi guys,</P><P></P><P>I'm trying to set up ssl vpn on PAN. I would like to know which security policies are necessary to make the portal work.</P><P></P><P>My actual rule is:</P><P></P><P>Source Zone: untrust</P><P>Destination Zone: untrust</P><P>Source Address: any</P><P>Source User: any</P><P>Destination Address: public ip</P><P>Application: ssl, ipsec, panos-web-interface, web-browsing</P><P>Service: application-default</P><P></P><P>If I use "any" as service, the portal is shown, I can log in and the tunnel works, but using the above rule the portal doesn't work. Inspecting the log I can see that traffic is denied by the default block rule.</P><P></P><P>deny untrust untrust addr.src addr.dst 22735 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;443 addr.src.nat addr.dst.nat 22735 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;20077 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;web-browsing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;deny default_block</P><P></P><P>Addr.src = addr.scr.nat</P><P>Addr.dst = addt.dst.nat</P><P></P><P>Somehow port 443 is mapped by some kind of nat to port 20077 so I suppose that I have to open it. Which port range should be opened?</P><P></P><P>Thanks!</P></BODY></HTML> Mon, 28 Feb 2011 22:17:49 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24556#M17905 ajripa 2011-02-28T22:17:49Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24557#M17906 <HTML><HEAD></HEAD><BODY><P>Initially you only need to alow SSL and IPSEC from untrust to untrust.&nbsp; What is the zone for your tunnel interface? If it is something other than untrus or trus you will need to create rules that allow from the untrust to the VPN-Zone and VPN-Zone to trust.&nbsp; Use the CLI commands to see which rule is dropping your traffic.</P><P></P><P>show session all filter source &lt;ip_of_test_pc&gt;</P><P></P><P>This should show you at least one session, app = ssl, and some ID number.</P><P></P><P>Then look at the ID.</P><P></P><P>Show session id xxxxx</P><P></P><P>This will show you the ingress and egress&nbsp; interfaces and the security rule that allowed or dropped the packets.</P><P></P><P>If this is not enough then you will need to open a support ticket.</P><P></P><P>Steve Krall</P></BODY></HTML> Wed, 02 Mar 2011 08:24:16 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24557#M17906 skrall 2011-03-02T08:24:16Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24558#M17907 <HTML><HEAD></HEAD><BODY><P>I had a Block_All rule defined for logging reasons. This rule overruled the default intrazone-allow-rule and avoided the properly working of the vpn portal page.</P></BODY></HTML> Sun, 27 Mar 2011 17:18:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24558#M17907 ajripa 2011-03-27T17:18:35Z https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24559#M17908 <HTML><HEAD></HEAD><BODY><P>The reason your portal page is being blocked when using application default for the service is that the web-browsing application traffic is on port 443 for the ssl vpn portal and not the default of 80/8080. See this post: <A href="https://live.paloaltonetworks.com/docs/DOC-1198">https://live.paloaltonetworks.com/docs/DOC-1198</A> as to why.</P><P></P><P>The way I got around it was to create a service for the IPSec traffic, called it service-ipsec on UDP 4500-4501 and then use specific services, i.e. service-http, service-https &amp; service-ipsec, instead of application default or any.</P></BODY></HTML> Thu, 31 Mar 2011 19:47:35 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-vpn-portal-page/m-p/24559#M17908 PierreJvR 2011-03-31T19:47:35Z