The site seems to be using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
Support for this suite was added in PAN-OS 7.1 :
Please check the following article :
Seeing that you are already using 7.1 ... are you using SSL decryption ? Have you tried disabling it for the site as a test ?
Obviously i defined 3 rules for my pc originating IP at the top to exit anywhere, to not decrypt, to not captive portal
I have PAN OS 7.1.2
Did you try to do PCAP on the Palo and client site?
What error do you get on the screen when trying to access this particular site. Did you try with different a web browser?
I'd recommend setting up a filter with your originating IP address and check the global counters for drops. I'm guessing you will find some counters that could explain the behaviour :
A strange thing
I have a Policy Forwarding that for some LAN ip outbound traffic doesnt go via WAN interface but is sent to a machine connected in DMZ and that machine is connected to internet with a software firewall
These routed machines can access this site normally
Only machines that goes out through palo alto doesnt work
First image in log of conversation sending to machine in dmz that works
Se second is using PA WAN that dont work
I am unable to access this site in any way throuth my PA 3020 With Pan Os 7.1
Obviously is possible through a direct connection
Can someone try and temm me if is the same ?
The application in the non-working scenario is 'incomplete'.
Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application.
For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.
I'd recommend to take PCAPs to confirm traffic is leaving the firewall on the correct egress interface and also take PCAPs on the destination server to verify if the packet reaches it and is returned correctly.
Also try to run just simple ping from Palo to the client and the web-site. Also source ping from the appropriate egress interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!