I am trying to access http://www.brokercheck.com from behind the PAN firewall via dynamic NAT without any success. I have other customers behind different PAN firewalls, regardless of PAN OS version, with the same issue access website http://www.brokercheck.com.
The FW rule is wide open "any any accept log"
It works for customers NOT behind PAN firewalls. In other words, hosts behind Cisco ASA and checkpoint firewalls can access http://www.brokercheck.com without any issues.
I have a TAC case opened with PaloAlto support and waiting to hear back from them.
Hi @dtran ,
What are you seeing under traffic logs? Traffic logs should give more clarity for this. You can also check few other points like,
1.First, check if traffic for below URL is reaching the firewall. If there are any DNS issues on the source system, you won't see any traffic on the firewall.
2. Check if the required security policy is getting applied to below URL traffic on Palo Alto and if security policy is allowing the traffic,
3. Check if any other security policy profile e.g. URL filtering is blocking it.
4. NAT Policy & desired routing is happening on the firewall while accessing below URL.
Please check these points.
No issue with DNS, URL filtering, NAT.... Did I mention that if I replace the PAN with Cisco or Checkpoint, I don't have this issue?
This issue is reproducible from multiple customers that are behind the PAN firewalls, from different locations and different ISP.
I found the solution here: https://www.networkdefenseblog.com/post/wireshark-tcp-challenge-ack
Apparently many users who are behind PAN firewalls have issues access this site.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!