Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-11-2020 02:01 AM
Greetings
I have a PA-220 Running Version 8.1.9-h4
Current problem is that some teachers use iPads and some of them use an app called SEESAW.
The app loads fine on the iPad but seem to be blocked from the cloud resources it should have access to.
Using it on Mobile data everything loads fine.
Using it through the Firewall I eventually get a message "Can't Connect to Server" "Retry"
I have gone to the Monitor tab and using the iPad's IP have checked
>Traffic
>Threat
>URL Filtering
as well as a few others.
nothing is coming up as Blocked everything seems to be allowed.
I cannot work out what or where the traffic is being blocked.
Any Advice or hints are appreciated.
02-11-2020 02:08 AM
If security policy is application specific, please check if any dependent app is not allowed in the policy. If this is not the case,
take one system in the same subnet which belongs to iPAD and try traceroute to the destination IP addresses seen in traffic logs and check if it passes firewall.
-Mayur
02-11-2020 03:04 AM
Do you mean that i should go to Objects > Applications and add SEESAW to the allowed application list?
If so then i cannot as PALO does have a SEESAW application listed as an option.
I also checked here https://applipedia.paloaltonetworks.com/
02-11-2020 03:18 AM
I mean what type of security policy u have written for allowing traffic?? is it application based or service based??
Mayur
02-11-2020 03:28 AM - edited 02-11-2020 03:42 AM
There are a list off applications that are allowed, Under objects > Application groups that the iPads are allowed to use and then under Objects > URL Filtering there the URL Categories that are blocked or allowed.
02-11-2020 06:58 PM
There are certain applications which are dependent on some other applications. If dependent apps are not allowed in the policy, it never works as per our expectations.
e.g. If you want to allow traceroute app in the policy, you need to allow ICMP and Ping also in order to work it properly. Dependency can be checked under each application details on firewall.
- Mayur
02-11-2020 10:33 PM - edited 02-11-2020 10:35 PM
Morning.
I get what you are saying about the dependencies.
But i don't know what SEESAW needs.
SEESAW is not listed as an application (like Netflix is) in the Palo software.
https://applipedia.paloaltonetworks.com/
So if SEESAW as an application in the Palo is actually SAWSEE, i don't know how to work that out to allow it.
basically how do i work out if it has different name, or why the traffic is not allowed.
Edit: I just got told it worked on Friday last week. (and i have not made change to the firewall between then and now)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
