topic Re: I'm having a problem with Canon printers communicating with an external IP (Canon site). in General Topics

I'm having a problem with Canon printers communicating with an external IP (Canon site).

itdeptcinven — Tue, 03 Dec 2013 17:01:11 GMT

I'm having a problem with Canon printers communicating with an external IP (Canon site). They are trying to communicate to a particular IP on port 443 (simple, right?) but they aren't contacting the destination. I checked my Palo monitor and didn't see anything wrong but I thought I'd create fresh rules just for these printers. So, I've setup rules to:

NOT decrypt packets from the printer subnet
Allow all from
- From Zone: Trust
- To Zone: Untrust
- Source Address: Printer Subnet
- Destination Address: ANY
- Service: Custom service - TCP / Destination port 443 / Source port > 0

I've set the rule to log at session start and end. I see the attempted communication alongside the correct rule and an allow. But, the application appears as "incomplete". The printers cannot contact the remote IP. I've connected up one of these printers to a DSL line that doesn't traverse the Palo and it works. If I try to browse to the IP from a web browser via the Palo, it works and I see the application appear correctly in the Palo monitor... See below (bottom one is me browsing via web and top one is from printer subnet):

Any ideas on this? I've tried manipulating security rules, decryption rules, services, etc with no success. I really want to blame it on the Canon printers, but as they work over DSL, I can't

Thanks in advance!!!

Re: I'm having a problem with Canon printers communicating with an external IP (Canon site).

HULK — Wed, 04 Dec 2013 01:45:07 GMT

Hello,

I saw the session status is showing as =" INCOMPLETE". Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete.

If this is an urgent requirement, please open a ticket with PAN support and let me know the ticket number.

Thanks

Re: I'm having a problem with Canon printers communicating with an external IP (Canon site).

itdeptcinven — Wed, 04 Dec 2013 09:44:11 GMT

Hi Hulk, thanks for your response. It's not urgent as this has been going on for a while. However, if I can't find a solution, in the next couple of days, I'll log it. Besides, I won't earn the badges if I log it :smileygrin:

What you've said is what I thought, but when the device is connected to a dsl line it works as Canon expect it to. And as the picture above shows, when I browse to to IP from a browser, the Palo picks it up correctly. Everything points to a problem with the printer until it's connected to the dsl line. I'm at a total loss.