I have a PA-220 Running Version 8.1.9-h4
Current problem is that some teachers use iPads and some of them use an app called SEESAW.
The app loads fine on the iPad but seem to be blocked from the cloud resources it should have access to.
Using it on Mobile data everything loads fine.
Using it through the Firewall I eventually get a message "Can't Connect to Server" "Retry"
I have gone to the Monitor tab and using the iPad's IP have checked
as well as a few others.
nothing is coming up as Blocked everything seems to be allowed.
I cannot work out what or where the traffic is being blocked.
Any Advice or hints are appreciated.
If security policy is application specific, please check if any dependent app is not allowed in the policy. If this is not the case,
take one system in the same subnet which belongs to iPAD and try traceroute to the destination IP addresses seen in traffic logs and check if it passes firewall.
Do you mean that i should go to Objects > Applications and add SEESAW to the allowed application list?
If so then i cannot as PALO does have a SEESAW application listed as an option.
I also checked here https://applipedia.paloaltonetworks.com/
I mean what type of security policy u have written for allowing traffic?? is it application based or service based??
There are a list off applications that are allowed, Under objects > Application groups that the iPads are allowed to use and then under Objects > URL Filtering there the URL Categories that are blocked or allowed.
There are certain applications which are dependent on some other applications. If dependent apps are not allowed in the policy, it never works as per our expectations.
e.g. If you want to allow traceroute app in the policy, you need to allow ICMP and Ping also in order to work it properly. Dependency can be checked under each application details on firewall.
I get what you are saying about the dependencies.
But i don't know what SEESAW needs.
SEESAW is not listed as an application (like Netflix is) in the Palo software.
So if SEESAW as an application in the Palo is actually SAWSEE, i don't know how to work that out to allow it.
basically how do i work out if it has different name, or why the traffic is not allowed.
Edit: I just got told it worked on Friday last week. (and i have not made change to the firewall between then and now)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!