I'm using PAN-OS 7.1.8 on a active/passive HA cluster of PA-3050 devices for the perimeter. Just recently, people started complaining that GoToMeeting no longer works. When I investigate a test session (http://help.citrix.com/getready), the session does not start. When I look in the PAN-OS monitoring logs, I am seeing "http-proxy" being blocked. I created a temporary rule that allowed me access to that application and, after doing so, GoToMeeting worked fine.
We block and have always blocked the http-proxy application in our web filtering rules for everyone. Does anyone have any suggestions for how to get GTM working without opening up http-proxy for everyone? Is this something that should go to PAN support?
The easiest way to do it would be to allow it through o GotoMeetings IP address range so that you would be relatively positive that they still couldn't actively start a proxy session to bypass your security measures. I imagine that Palo Alto is probably working on updating the signature but you may want to contact TAC just to make sure.
I never did call support but I found that if I excluded the Citrix-related IP addresses from TLS decryption that it worked. I'm not sure if Citrix changed something or PAN did, but it doesn't seem to work correctly with TLS decryption in effect. Keep in mind that the G2M launcher kind of breaks and stays half alive. You have to kill all the process that start with "g2m" and try again. Otherwise it looks like your changes in the PAN firewall aren't having an effect.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!