Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-03-2013 09:01 AM
I'm having a problem with Canon printers communicating with an external IP (Canon site). They are trying to communicate to a particular IP on port 443 (simple, right?) but they aren't contacting the destination. I checked my Palo monitor and didn't see anything wrong but I thought I'd create fresh rules just for these printers. So, I've setup rules to:
I've set the rule to log at session start and end. I see the attempted communication alongside the correct rule and an allow. But, the application appears as "incomplete". The printers cannot contact the remote IP. I've connected up one of these printers to a DSL line that doesn't traverse the Palo and it works. If I try to browse to the IP from a web browser via the Palo, it works and I see the application appear correctly in the Palo monitor... See below (bottom one is me browsing via web and top one is from printer subnet):
Any ideas on this? I've tried manipulating security rules, decryption rules, services, etc with no success. I really want to blame it on the Canon printers, but as they work over DSL, I can't 
Thanks in advance!!!
12-03-2013 05:45 PM
Hello,
I saw the session status is showing as =" INCOMPLETE". Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.
So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete.
If this is an urgent requirement, please open a ticket with PAN support and let me know the ticket number.
Thanks
12-04-2013 01:44 AM
Hi Hulk, thanks for your response. It's not urgent as this has been going on for a while. However, if I can't find a solution, in the next couple of days, I'll log it. Besides, I won't earn the badges if I log it :smileygrin:
What you've said is what I thought, but when the device is connected to a dsl line it works as Canon expect it to. And as the picture above shows, when I browse to to IP from a browser, the Palo picks it up correctly. Everything points to a problem with the printer until it's connected to the dsl line. I'm at a total loss.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
