topic Re: Cannot access HTTPS sites using non standard ports in General Topics

Cannot access HTTPS sites using non standard ports

Farzana — Wed, 06 Dec 2017 03:40:10 GMT

Hello,

When we switch the connection to a 4G connection, was able to connect to the URL without any issues:

wget https://www2.medicareaustralia.gov.au:5447/ --no-check-certificate

--2017-12-06 10:39:16-- https://www2.medicareaustralia.gov.au:5447/

Resolving www2.medicareaustralia.gov.au... 203.80.58.18

Connecting to www2.medicareaustralia.gov.au|203.80.58.18|:5447... connected.

Through PA, we are getting below:

wget https://www2.medicareaustralia.gov.au:5447/ --no-check-certificate

--2017-12-06 10:21:30-- https://www2.medicareaustralia.gov.au:5447/

Resolving www2.medicareaustralia.gov.au... 203.80.58.18

Connecting to www2.medicareaustralia.gov.au|203.80.58.18|:5447... failed: Connection timed out.

Tried using a simple test rule from Inside to Outside, Application any, Service/URL Category any, without any profile.

No NAT in use.

No-decrypt rule is in use for URL category: *.gov.au

Re: Cannot access HTTPS sites using non standard ports

DarinSutton — Wed, 06 Dec 2017 08:02:27 GMT

Can we see the Security policy Rule

are you using app default or a specific service (serivice-http, service-https)

is it being identified in the traffic log as SSL

or something else

Re: Cannot access HTTPS sites using non standard ports

reaper — Wed, 06 Dec 2017 10:12:35 GMT

your log states the app is incomplete and there's only 1 packet sent, none received

you may want to do some more basic troubleshooting like a ping or traceroute to verify if your routing is letting you get to the server, and then perform more tests to see why you are not receiving a reply packet (is the conenction being NATed, is the port allowed to pass through the upstream router, is the destination server blocking your ip,...)

Re: Cannot access HTTPS sites using non standard ports

fjwcash — Wed, 06 Dec 2017 20:49:00 GMT

Have you modified these to use your custom port: service-http, service-https? If not, then you are blocking the traffic. Those two default to port 80 and port 443. You need to create a custom service and set the port in there, then assign that service to your Security Policy.

If you check the Monitor tab, you'll see your traffic listed with "action = deny", with the ports listed in there.

Re: Cannot access HTTPS sites using non standard ports

khuynh — Wed, 06 Dec 2017 21:30:15 GMT

Hello Farzana,

Agree with another comment here: your log shows that the flow is seen as incomplete with no ingress packets. I would assume a network architecture problem like assymetry or a NAT problem: you tell that there is no NAT policy configured... Even an outbound one ?

Re: Cannot access HTTPS sites using non standard ports

Farzana — Thu, 07 Dec 2017 01:21:08 GMT

This issue only occurs when using a non-standard port 5447.

The Security policy is a simple one with application and service set to Any.

As mentioned earlier, no NATTing is there.

If I go to URL https://www2.medicareaustralia.gov.au/

I do get a response back from the Server, as shown below:

Re: Cannot access HTTPS sites using non standard ports

reaper — Thu, 07 Dec 2017 07:44:49 GMT

hi @Farzana

your outbound packets are being passed along so my guess would be there is an upstream issue

Since you're not applying NAT on the Palo Alto, is your upstream NAT device perhaps configured to NAT default ports (80+443) and not 'high' ports?

Re: Cannot access HTTPS sites using non standard ports

fjwcash — Thu, 07 Dec 2017 16:37:49 GMT

Can you show your "Pinterest Allow" Security Policy? That's the one that's matching the traffic, as shown by the log entries. And show the Security Policy that you think it's supposed to be matching.

Re: Cannot access HTTPS sites using non standard ports

BPry — Thu, 07 Dec 2017 17:30:46 GMT

@Farzana,

The current traffic is being allowed through the "Pinterest Allow" security policy, and prior traffic was being allowed through your test rule. Since your only test of this actually working is through a 4G connection, was that done through your Palo Alto or on a mobile device.

I think @reaper is right, this looks like it's an issue upstream from your Palo Alto. With the information provided I would start testing to see if you can access the site through the ISP connection if you bypass the PA all together, my initial guess would be that this test will fail. Once you've verified it's an ISP issue, then you can start the process of troubleshooting with the ISP.

Re: Cannot access HTTPS sites using non standard ports

Farzana — Wed, 13 Dec 2017 00:40:34 GMT

Thank you all for the suggestions. Really helpful.

Client found out there was another set of firewall by the Upstream provider that caused the issue.