08-09-2021 10:21 PM
so i have this dual personality thing going on with the PA firewall and am learning, so this might be an easy one. I kind of dont like the requirement to create "application" based rules and then back them up with "service-based" rules. I had this security policy in place and was playing with it:
RULEBASE1 (old working rulebase):
user2internet allow service-https & service-http (service-based rule)
user2internet allow ftp, ntp, ping (application-based rule)
RULEBASE2 (new rulebase, trying to migrate to all application base):
user2internet allow service-http (service-based rule)
user2internet allow ftp, ntp, ssl, ping (application-based rule)
my thinking is any https website should use SSL, right? So if i go to a secure site with rulebase1, im using line 1; with rulebase2, i use line 2. Both rules work fine most of the time. in fact rulebase1 is the months-old config so its a fine rule. rulebase2 - not so much!
under rulebase2, many ssl-enabled websites load, but funny thing: https://www.google.com doesnt load. I get some sort of connection reset message - i think from the PA firewall.
what's up here? Why is google special? What other sites wont work under rulebase2? how do I work around this? NOTE: I'm not going to get nickel & dimed by configuring every SSL application under the sun, that a normal use may want to use on the internet. So things like google-base (SSL) will remain unconfigured, but I suspect this has something to do with the problem. maybe big companies, which are special, have their own defined pre-canned PA applications and for some reason, if the PA sees this riding on top of SSL, it still denies the connection - unless that sub-type application (under SSL), is also configured?
08-09-2021 11:06 PM
Hi @anon4all ,
Normally whenever you see some issues for the traffic passing from PA, traffic logs gives much clarity on traffic being allowed and dropped (additionally you should have logging enabled on the security policy) and with this, you can see why traffic is not working. Now in your case, I would recommend you to check access by adding google-base app-id in the security policy.
08-10-2021 11:44 AM
hi, thx fro quick reply. by adding google-base app ID in security policy, do you mean: edit the rule in question, go to the application tab, and add google base under the applications? If so, that is tedious and leads me down the application rabbit hole. then for each thing that should be working with SSL, but has some sort of custom application, i have to had that one - and then another one, and another, etc. pretty soon have 10's or more of these pre-made applications, just running over SSL. I just want to allow anything running on ssl. And that doesn't seem to work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
