https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/380856#M89700 <P>I am trying to access <A href="http://www.brokercheck.com" target="_blank">http://www.brokercheck.com</A> from behind the PAN firewall via dynamic NAT without any success.&nbsp; I have other customers behind different PAN firewalls, regardless of PAN OS version, with the same issue access website <A href="http://www.brokercheck.com" target="_blank">http://www.brokercheck.com.</A></P><P>&nbsp;</P><P>The FW rule is wide open "any any accept log"</P><P>&nbsp;</P><P>It works for customers NOT behind PAN firewalls.&nbsp; In other words, hosts behind Cisco ASA and checkpoint firewalls can access <A href="http://www.brokercheck.com" target="_blank">http://www.brokercheck.com</A> without any issues.&nbsp;</P><P>&nbsp;</P><P>I have a TAC case opened with PaloAlto support and waiting to hear back from them.</P><P>&nbsp;</P><P>Thoughts?</P> Tue, 19 Jan 2021 19:41:34 GMT dtran 2021-01-19T19:41:34Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/380856#M89700 <P>I am trying to access <A href="http://www.brokercheck.com" target="_blank">http://www.brokercheck.com</A> from behind the PAN firewall via dynamic NAT without any success.&nbsp; I have other customers behind different PAN firewalls, regardless of PAN OS version, with the same issue access website <A href="http://www.brokercheck.com" target="_blank">http://www.brokercheck.com.</A></P><P>&nbsp;</P><P>The FW rule is wide open "any any accept log"</P><P>&nbsp;</P><P>It works for customers NOT behind PAN firewalls.&nbsp; In other words, hosts behind Cisco ASA and checkpoint firewalls can access <A href="http://www.brokercheck.com" target="_blank">http://www.brokercheck.com</A> without any issues.&nbsp;</P><P>&nbsp;</P><P>I have a TAC case opened with PaloAlto support and waiting to hear back from them.</P><P>&nbsp;</P><P>Thoughts?</P> Tue, 19 Jan 2021 19:41:34 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/380856#M89700 dtran 2021-01-19T19:41:34Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/380891#M89704 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a> ,</P><P>&nbsp;</P><P>What are you seeing under traffic logs? Traffic logs should give more clarity for this. You can also check few other points like,</P><P>&nbsp;</P><P>1.First, check if traffic for below URL is reaching the firewall. If there are any DNS issues on the source system, you won't see any traffic on the firewall.</P><P>2. Check if the required security policy is getting applied to below URL traffic on Palo Alto and if security policy is allowing the traffic,</P><P>3. Check if any other security policy profile e.g. URL filtering is blocking it.</P><P>4. NAT Policy &amp; desired routing is happening on the firewall while accessing below URL.</P><P>&nbsp;</P><P>Please check these points.</P> Wed, 20 Jan 2021 04:17:12 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/380891#M89704 SutareMayur 2021-01-20T04:17:12Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/380982#M89714 <P>No issue with DNS, URL filtering, NAT....&nbsp; Did I mention that if I replace the PAN with Cisco or Checkpoint, I don't have this issue?</P><P>&nbsp;</P><P>This issue is reproducible from multiple customers that are behind the PAN firewalls, from different locations and different ISP.</P> Wed, 20 Jan 2021 13:34:00 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/380982#M89714 dtran 2021-01-20T13:34:00Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/381165#M89730 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41973">@dtran</a> ,</P><P>&nbsp;</P><P>I tested URL from my one of the test system which is behind palo alto and URL is working. It gets redirected to <A href="https://brokercheck.finra.org/" target="_blank">https://brokercheck.finra.org/</A></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 21 Jan 2021 09:35:59 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/381165#M89730 SutareMayur 2021-01-21T09:35:59Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/382211#M89821 <P>I found the solution here:&nbsp; <A href="https://www.networkdefenseblog.com/post/wireshark-tcp-challenge-ack" target="_blank">https://www.networkdefenseblog.com/post/wireshark-tcp-challenge-ack</A></P><P>&nbsp;</P><P>Apparently many users who are behind PAN firewalls have issues access this site.</P> Tue, 26 Jan 2021 21:57:53 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-access-certain-web-sites-from-host-behind-pan/m-p/382211#M89821 dtran 2021-01-26T21:57:53Z