https://live.paloaltonetworks.com/t5/general-topics/connection-issues-between-servers/m-p/275132#M75235 <P>Hello,</P><P>Also check the logs to see where and why you are getting dropped. If you have Application set for any and Service set to Application-default, then the PAN may identify some apps over non-standard ports and block the traffic.</P><P>&nbsp;</P><P>However as you mentioned your config, I would highly recommend that you not use any/any from untrust to trust, unless you have another firewall in between. Also there is free training online to help you along.</P><P><A href="https://paloaltonetworks.csod.com/" target="_blank">https://paloaltonetworks.csod.com</A></P><P>&nbsp;</P><P>As always you can post in here and we'll help out the best we can :).</P><P>&nbsp;</P><P>Cheers!</P> Fri, 05 Jul 2019 17:09:59 GMT OtakarKlier 2019-07-05T17:09:59Z https://live.paloaltonetworks.com/t5/general-topics/connection-issues-between-servers/m-p/275061#M75224 <P>I'm very new to PAN firewalls and are still learning as I go along, they've only been in a month or so and the only rule is currently set any any from the trust to untrust zones and vice versa.</P><P>&nbsp;</P><P>We've got a couple of issues around some connections that traverse our 5250's (LAN to WAN and vice versa) but from the 5250's perspective its not seeing any traffic in the logs for the addresses in question, no deny drops allows nothing.</P><P>&nbsp;</P><P>When we've done a packet capture from the servers on either end of the connection it shows the traffic leaving but its never seen on the 5250's. We've checked the routing and everything else in between but we've found nothing wrong.</P><P>&nbsp;</P><P>Zone protection profile has been disabled.</P><P>&nbsp;</P><P>Is there anything else that I can check to see if for one reason or another the 5250's are doing something they shouldn't to the traffic?</P><P>&nbsp;</P><P>Any help would be much appreciated?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Jon</P> Fri, 05 Jul 2019 13:47:29 GMT https://live.paloaltonetworks.com/t5/general-topics/connection-issues-between-servers/m-p/275061#M75224 JonHill 2019-07-05T13:47:29Z https://live.paloaltonetworks.com/t5/general-topics/connection-issues-between-servers/m-p/275088#M75229 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/100050">@JonHill</a>,</P><P>Ensure that you've actually enabled logging on the interzone-default policy and ensure you've checked interface counters for any dropped packets. Did you do a PCAP on the actual firewall yet or not? That would be my next stop if everything else checks out so you can see that it's at least hitting the firewall and being processed correctly.&nbsp;</P> Fri, 05 Jul 2019 14:38:04 GMT https://live.paloaltonetworks.com/t5/general-topics/connection-issues-between-servers/m-p/275088#M75229 BPry 2019-07-05T14:38:04Z https://live.paloaltonetworks.com/t5/general-topics/connection-issues-between-servers/m-p/275132#M75235 <P>Hello,</P><P>Also check the logs to see where and why you are getting dropped. If you have Application set for any and Service set to Application-default, then the PAN may identify some apps over non-standard ports and block the traffic.</P><P>&nbsp;</P><P>However as you mentioned your config, I would highly recommend that you not use any/any from untrust to trust, unless you have another firewall in between. Also there is free training online to help you along.</P><P><A href="https://paloaltonetworks.csod.com/" target="_blank">https://paloaltonetworks.csod.com</A></P><P>&nbsp;</P><P>As always you can post in here and we'll help out the best we can :).</P><P>&nbsp;</P><P>Cheers!</P> Fri, 05 Jul 2019 17:09:59 GMT https://live.paloaltonetworks.com/t5/general-topics/connection-issues-between-servers/m-p/275132#M75235 OtakarKlier 2019-07-05T17:09:59Z