https://live.paloaltonetworks.com/t5/general-topics/check-to-check-quot-deny-quot-packages/m-p/34004#M24937 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I have some rules that will allow IPSEC between two Windows Domain Controllers, but it only works when I allow "any" underapplication - unless I ping from both ends.</P><P></P><P>So how can I see what port I am missing in my custom application group?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 24 Nov 2011 16:09:44 GMT FlexyZ 2011-11-24T16:09:44Z https://live.paloaltonetworks.com/t5/general-topics/check-to-check-quot-deny-quot-packages/m-p/34004#M24937 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I have some rules that will allow IPSEC between two Windows Domain Controllers, but it only works when I allow "any" underapplication - unless I ping from both ends.</P><P></P><P>So how can I see what port I am missing in my custom application group?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 24 Nov 2011 16:09:44 GMT https://live.paloaltonetworks.com/t5/general-topics/check-to-check-quot-deny-quot-packages/m-p/34004#M24937 FlexyZ 2011-11-24T16:09:44Z https://live.paloaltonetworks.com/t5/general-topics/check-to-check-quot-deny-quot-packages/m-p/34005#M24938 <HTML><HEAD></HEAD><BODY><P>Try to look at the session table via CLI to determine what's being discarded when utilizing your application group. Something along these lines. Use the information to modify your app group accordingly and continue to test until you've rectified the issue.</P><P></P><P> show session all filter source 10.10.10.10 destination 192.168.1.1</P><P></P><P>Thanks,</P><P>Renato</P></BODY></HTML> Fri, 25 Nov 2011 09:41:17 GMT https://live.paloaltonetworks.com/t5/general-topics/check-to-check-quot-deny-quot-packages/m-p/34005#M24938 gswcowboy 2011-11-25T09:41:17Z