https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77031#M42504 <P>Are you logging everything? Find a rule that should allow or drop the mentioned traffic and see if it's set to logging.</P> Tue, 26 Apr 2016 06:54:53 GMT santonic 2016-04-26T06:54:53Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/76994#M42496 <P>I have and external website that I need to access on port 10443: https://&lt;public IP&gt;:10443. The connection never completes and times out.&nbsp;</P> <P>&nbsp;</P> <P>If I pull the PA FW out and throw in an ASA, works just fine. The logs on PA don't even show port 10443 being accessed or logged.</P> <P>&nbsp;</P> <P>No matter what log I check, I find nothing.</P> <P>&nbsp;</P> <P>Any idea?</P> <P>&nbsp;</P> <P>Thx</P> Mon, 25 Apr 2016 14:41:51 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/76994#M42496 dclark1 2016-04-25T14:41:51Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/76996#M42497 <P>Hello,</P> <P>&nbsp;</P> <P>Have you tried running a packet capture &amp; global counters to check for any drops/reasons for drops? Is there any asymmetric routing in your network?</P> <P>&nbsp;</P> <P>How to run a capture -</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390</A></P> <P>&nbsp;</P> <P>Global counters -</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CLI/ta-p/57496" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CLI/ta-p/57496</A></P> <P>&nbsp;</P> <P>hope this helps!</P> <P>Ben</P> Mon, 25 Apr 2016 14:54:46 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/76996#M42497 bmorris1 2016-04-25T14:54:46Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77005#M42499 <P>What's PAN-OS version on firewall?</P> <P>&nbsp;</P> <P>Check the application and service tab. Try to make application as ssl and keep service as any. Check if works or not.</P> Mon, 25 Apr 2016 20:06:27 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77005#M42499 pankaku 2016-04-25T20:06:27Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77031#M42504 <P>Are you logging everything? Find a rule that should allow or drop the mentioned traffic and see if it's set to logging.</P> Tue, 26 Apr 2016 06:54:53 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77031#M42504 santonic 2016-04-26T06:54:53Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77032#M42505 <P>Also make sure that your only drop rule isn't the implicit one: interzone-default. That rule doesn't log. I always make a default drop rule which logs above implicit rules.</P> Tue, 26 Apr 2016 06:57:41 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77032#M42505 santonic 2016-04-26T06:57:41Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77048#M42511 <P>Good idea on the drop rule. It's a very basic setup, and all rules log start and end of session. Capture logs show retransmissions, and traffic is getting to device.</P> <P>&nbsp;</P> <P>Additionally another app that uses SSL over a non stanard port also did not work. Swapped PA with an ASA and both apps worked.....definatley something on the PA.</P> <P>&nbsp;</P> <P>INFO:</P> <P>PA-VM-100</P> <P>Pan-OS: 7.1.1</P> <P>All other software up to date.</P> <P>&nbsp;</P> <P>Thx</P> Tue, 26 Apr 2016 12:07:19 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77048#M42511 dclark1 2016-04-26T12:07:19Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77049#M42512 <P>So did you find this traffic in logs? If all rules are set to logging then you must see it. If you still don't see it then it's dropped by implicit rule.</P> Tue, 26 Apr 2016 12:43:41 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77049#M42512 santonic 2016-04-26T12:43:41Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77067#M42517 <P>Good call santonic on the deny rule.....it was getting caught in the implict rule. Adjusted regular rule and all is good.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thx guys....</P> Tue, 26 Apr 2016 16:54:30 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77067#M42517 dclark1 2016-04-26T16:54:30Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77183#M42536 <P>No problem.</P> Thu, 28 Apr 2016 06:04:44 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-outbound-port-10443-doesn-t-show-up-in-logs/m-p/77183#M42536 santonic 2016-04-28T06:04:44Z