https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/154669#M50928 In my case the application was not identified when using the Facebook App (shows just SSL). Interesting enough, when using Chrome one the iPhone, it identifies it as Facebook-Video. So I had to create a rule to exempt any Social-Network category for iPhones, which isn't ideal, but it was the lowest denominator. Otherwise I have to exclude iPhone from decryption all together or at least iPhones SSL. Mon, 01 May 2017 13:08:25 GMT Hwinter 2017-05-01T13:08:25Z https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/153647#M50702 <P>When opening iOS Facebook app I''m unable to play a movie... however, from the same device if I login to facbook via browser I can play the video.</P><P>I'm trying to find out why the iOS App is getting blocked, as my policies clearly allow it.</P><P>Rule iPhones:</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Iphone Rule allowing all traffic" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8893i65B3B2CF9D3F864A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="iPhone Policy.JPG" alt="Iphone Rule allowing all traffic" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Iphone Rule allowing all traffic</span></span></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Log when using Facebook via Chrome" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8894iA6A9CAB93C95CAEE/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Traffic Allowed.JPG" alt="Log when using Facebook via Chrome" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Log when using Facebook via Chrome</span></span></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Log when using Facebook via iOS App" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8895i78F1E15970B3B351/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Blocked Traffic.JPG" alt="Log when using Facebook via iOS App" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Log when using Facebook via iOS App</span></span></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Decryption Policy" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8896iF561EA0B8BF7C5E3/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Decryption Policy.JPG" alt="Decryption Policy" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Decryption Policy</span></span></P><P>&nbsp;</P><P>&nbsp;I'm not sure what I'm missing here. I'm trying to understand what is causing the traffic to be blocked. The only thing I see different is the fact that when the user is using the App PA shows the traffic as SSL and when using the&nbsp;Chrome PA shows it as facebook-Video. However, both should be allowed.</P><P>&nbsp;</P><P>Any ideas? I'm running VM-100 on 7.1.9.</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Apr 2017 17:26:15 GMT https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/153647#M50702 Hwinter 2017-04-21T17:26:15Z https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/153657#M50703 <P>For what is worth, I went&nbsp;to&nbsp;<SPAN>Device tab &gt; Response Pages screen, I unticked the&nbsp;"Enable SSL Opt-out Page" option. After that, it looks like it is working.</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Response Page" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8898iFC0F7DA3B6A5C57D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Opt Out Response Page.JPG" alt="Response Page" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Response Page</span></span></SPAN></P><P>So I believe the page was sent to the app and it was timing out as there would beno reply. Not exacly what I was execting, but that is the only explanation on my mind.&nbsp;</P><P>&nbsp;</P><P>UPATE: problem still presists. VIdeo must have been cached when I was testing it.</P> Fri, 21 Apr 2017 19:17:13 GMT https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/153657#M50703 Hwinter 2017-04-21T19:17:13Z https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/153861#M50738 <P>I saw the same behavior. When I ran a packet capture on the traffic, I noticed the client was unable to validate the certificate and closed the connection. The traffic had to be exempted as I couldn't include the Decryption CA root in the application's trusted certificate store.</P> Mon, 24 Apr 2017 20:17:39 GMT https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/153861#M50738 MangoTango 2017-04-24T20:17:39Z https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/154669#M50928 In my case the application was not identified when using the Facebook App (shows just SSL). Interesting enough, when using Chrome one the iPhone, it identifies it as Facebook-Video. So I had to create a rule to exempt any Social-Network category for iPhones, which isn't ideal, but it was the lowest denominator. Otherwise I have to exclude iPhone from decryption all together or at least iPhones SSL. Mon, 01 May 2017 13:08:25 GMT https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/154669#M50928 Hwinter 2017-05-01T13:08:25Z https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/585346#M116865 <P>How did you exempt the traffic? The rule looks like it should have exempted it already. Do you mean you do not decrypt?</P> Tue, 30 Apr 2024 14:12:42 GMT https://live.paloaltonetworks.com/t5/general-topics/type-deny-while-action-allow/m-p/585346#M116865 Kristine.Kartchner 2024-04-30T14:12:42Z