- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-21-2013 12:38 AM
Hi
At some point in the last month or so, I've managed to break downloads from both the Google Play store and Apple App store. But I don't know how.
I have enabled decryption, but have disabled all my decryption rules and it is still broken - So I assume it's not that.
I can't find any associated denied traffic in the traffic log, or in the URL filtering log.
If anyone has any idea what I've done, it would be greatly appreciated.
Thanks
Shaun
05-21-2013 08:10 AM
If you don't have an explicit deny rule at the end of your policies, you won't see anything that is implicitly denied. In other words, If you don't have something allowed that needs to be allowed, and you don't have a policy that alerts or blocks everything else, you won't see it in the log. There is also a document located here: https://live.paloaltonetworks.com/docs/DOC-4256 that may be of use to you.
05-21-2013 08:32 AM
Also instead of a "Deny any to any" rule you might want to break your explicit deny rule up by Zone... otherwise you break intra-zone traffic if you have any (this is from experience.. we broke our Palo Alto providing DHCP by having a 'deny any' at the bottom of our rule base)
05-21-2013 10:28 AM
I should have been more explicit! - As egearhart said, you definitely should not use a deny any any rule.
05-22-2013 12:37 AM
Hi all
I do already have an explicit deny all rule covering this zone, with logging enabled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!