https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307736#M79913 <P>Thanks. Next time this happens I will do the packet capture.</P><P>I tried to replicate the issue on my laptop, but I haven't been able to. I haven't heard any reports of this happening to anyone else since I posted this either.</P><P>It's possible that the issue was something else, not PA. I'll just have to wait for the next report I guess.</P> Thu, 23 Jan 2020 20:39:42 GMT Luke_R 2020-01-23T20:39:42Z https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307614#M79895 <P>Sorry if this is a dumb question, I'm still a bit new to PA.</P><P>&nbsp;</P><P>I've recently had a case where a few workstations cannot access anything beyond the local network. A trace shows that they can reach their default GW, but not the next hop, which is the PA.</P><P>&nbsp;</P><P>As a workaround, I found that changing their IP address resolved the issue. I then found that if another workstation got the old IP through DHCP, they wouldn't work either. For now I've excluded the IP's from the range.</P><P>&nbsp;</P><P>I'm wondering if something on the PA could have seen a threat coming from these IP's, and blacklisted them. Is there any troubleshooting you would recommend in a case like this?</P><P>&nbsp;</P><P>Here's what I've seen so far:</P><UL><LI>The traffic log shows a lot of entries with an action of 'allow', but a session end reason of 'tcp-rst-from-server'</LI><LI>Nothing in the threat log</LI><LI>No correlated events</LI></UL><P>&nbsp;</P><P>Any suggestions?</P> Wed, 22 Jan 2020 21:23:11 GMT https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307614#M79895 Luke_R 2020-01-22T21:23:11Z https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307663#M79900 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/131072">@Luke_R</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>tcp-rst-from-server :&nbsp;The server sent a TCP reset to the client.&nbsp;&nbsp;</SPAN></P> <P><SPAN>You're seeing traffic logs so your traffic is reaching the FW...&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I'd check first if the traffic reaching the firewall is actually egressing out correctly ... if not then check for indicators in the global counters:</SPAN></P> <P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0</A></SPAN></P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> Thu, 23 Jan 2020 10:14:12 GMT https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307663#M79900 kiwi 2020-01-23T10:14:12Z https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307723#M79910 <P>'tcp-rst-from-server'</P><P>&nbsp;</P><P>Is this from one server or a whole bunch of them?</P> Thu, 23 Jan 2020 17:05:05 GMT https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307723#M79910 RobinClayton 2020-01-23T17:05:05Z https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307735#M79912 <P>There were a few different ones. Not a lot though, but I'm not sure what's normal for this user.</P> Thu, 23 Jan 2020 20:38:08 GMT https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307735#M79912 Luke_R 2020-01-23T20:38:08Z https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307736#M79913 <P>Thanks. Next time this happens I will do the packet capture.</P><P>I tried to replicate the issue on my laptop, but I haven't been able to. I haven't heard any reports of this happening to anyone else since I posted this either.</P><P>It's possible that the issue was something else, not PA. I'll just have to wait for the next report I guess.</P> Thu, 23 Jan 2020 20:39:42 GMT https://live.paloaltonetworks.com/t5/general-topics/blacklisting-workstations/m-p/307736#M79913 Luke_R 2020-01-23T20:39:42Z