We are standing up some new PA firewalls and have been testing with some HL7 servers. Testing has been going well until recently where "unknown-tcp" traffic gets denied. It seems that it only happens when the transfer of a specific file/message is being transferred.
I spoke with our the HL7 Interface/Server guy and he shared this bit with me..
"HL7, most if not about all, messages begin with the “MSH” segment, Message Header.
These files, the HGS Meditech Lab Charge files, are in an HL7 batch.
The first segment is “FHS” – File Header, the BHS – Batch, then MSH and all the data.
So it is a “Batched” HL7 file, first time in 20+ years of doing this that I run across a charge file like this."
I got around the issue by creating a security policy allow "unknown-tcp" between the two specific servers but is that the only solution?
I know this is an old thread but just to tie the knot on this, there was a bug ID assigned for this issue (PAN-60414) and the fix for it was released on v7.1.13 and later versions/releases. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-release-notes/pan-os-7-1-addressed-issues/pan-os... Also, the content update (version 8164) has modified HL7 app-ID for recategorization.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!