https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217397#M62894 <P>It's showing on the correct port (443 and 8443 is what I was looking at) and being IDd as SSL traffic.&nbsp;</P> Mon, 11 Jun 2018 18:35:55 GMT Nathan.S 2018-06-11T18:35:55Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217369#M62885 <P>PA220, 8.1.1, GPClient 4.1.1, GP license activated.&nbsp;<BR /><BR />Connecting to the GPportal/gateway works fine. Traffic routes as expected.&nbsp;<BR />We're still testing, so access is severly limited and policies wide open once connected. Literally, everything is allowed for GP users.&nbsp;<BR />However, when i attempt to access an internal SSL-protected site, the traffic is denied.&nbsp;<BR />I can even change the rule to expressly allow SSL &amp; web-browsing to that device and it still hits the DenyAll rule at the bottom.&nbsp;<BR /><BR />What am I missing in my setup?</P> Mon, 11 Jun 2018 15:36:54 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217369#M62885 Nathan.S 2018-06-11T15:36:54Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217376#M62886 <P>Can you share screenshot of permit rule and denied log entry.</P><P>Most likely zone or user/group mismatch.</P> Mon, 11 Jun 2018 15:38:49 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217376#M62886 Raido_Rattameister 2018-06-11T15:38:49Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217390#M62890 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/13668">@Nathan.S</a>,</P><P>Aside from what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;already mentioned I would also look at the logs and verify that it's being seen on a default port and that the application is getting identified. There's a lot of little gotcha's here that can get in the way of this working properly.&nbsp;</P> Mon, 11 Jun 2018 18:18:21 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217390#M62890 BPry 2018-06-11T18:18:21Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217396#M62893 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rule" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15453i28768D68630C5683/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="userVPNITSRule.JPG" alt="Rule" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Rule</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="UnifiedLog" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15454iA8CD86E8421BD249/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="userVPNITSDeny.JPG" alt="UnifiedLog" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">UnifiedLog</span></span></P> Mon, 11 Jun 2018 18:35:00 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217396#M62893 Nathan.S 2018-06-11T18:35:00Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217397#M62894 <P>It's showing on the correct port (443 and 8443 is what I was looking at) and being IDd as SSL traffic.&nbsp;</P> Mon, 11 Jun 2018 18:35:55 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217397#M62894 Nathan.S 2018-06-11T18:35:55Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217399#M62896 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/13668">@Nathan.S</a>,</P><P>Looking at your screenshot it looks like the log in question is being identified as looking for dst port 7443 right? Regardless the application-default port for SSL identified traffic is only 443; so if you want to allow it on 8443/7443 or whatever you need to actually specify that. As your current security policy is written this traffic&nbsp;<EM>doesn't</EM> match your policy.&nbsp;</P> Mon, 11 Jun 2018 18:51:03 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217399#M62896 BPry 2018-06-11T18:51:03Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217406#M62897 <P>Even though I have the apps set to 'any'?<BR />huh.&nbsp;<BR />Let me look at the logs again, I'm pretty sure 443 traffic was failing too</P><P>&nbsp;</P> Mon, 11 Jun 2018 18:53:48 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217406#M62897 Nathan.S 2018-06-11T18:53:48Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217407#M62898 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/13668">@Nathan.S</a>,</P><P>Yes; this is due to specifying the service as application-default. Since the app-id is being identified as 'ssl' the only default service that is going to be allowed is 443.&nbsp;</P> Mon, 11 Jun 2018 18:55:28 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217407#M62898 BPry 2018-06-11T18:55:28Z https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217408#M62899 <P>Hmm, okay. I'll test further and will update.&nbsp;<BR /><BR />Thank you for your help!</P> Mon, 11 Jun 2018 18:56:42 GMT https://live.paloaltonetworks.com/t5/general-topics/troubleshooting-globalprotect/m-p/217408#M62899 Nathan.S 2018-06-11T18:56:42Z