PA blocks outbound port 10443, doesn't show up in logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA blocks outbound port 10443, doesn't show up in logs

L1 Bithead

I have and external website that I need to access on port 10443: https://<public IP>:10443. The connection never completes and times out. 

 

If I pull the PA FW out and throw in an ASA, works just fine. The logs on PA don't even show port 10443 being accessed or logged.

 

No matter what log I check, I find nothing.

 

Any idea?

 

Thx

8 REPLIES 8

L4 Transporter

Hello,

 

Have you tried running a packet capture & global counters to check for any drops/reasons for drops? Is there any asymmetric routing in your network?

 

How to run a capture -

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390

 

Global counters -

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CL...

 

hope this helps!

Ben

L5 Sessionator

What's PAN-OS version on firewall?

 

Check the application and service tab. Try to make application as ssl and keep service as any. Check if works or not.

L6 Presenter

Are you logging everything? Find a rule that should allow or drop the mentioned traffic and see if it's set to logging.

Also make sure that your only drop rule isn't the implicit one: interzone-default. That rule doesn't log. I always make a default drop rule which logs above implicit rules.

Good idea on the drop rule. It's a very basic setup, and all rules log start and end of session. Capture logs show retransmissions, and traffic is getting to device.

 

Additionally another app that uses SSL over a non stanard port also did not work. Swapped PA with an ASA and both apps worked.....definatley something on the PA.

 

INFO:

PA-VM-100

Pan-OS: 7.1.1

All other software up to date.

 

Thx

So did you find this traffic in logs? If all rules are set to logging then you must see it. If you still don't see it then it's dropped by implicit rule.

Good call santonic on the deny rule.....it was getting caught in the implict rule. Adjusted regular rule and all is good.

 

 

Thx guys....

No problem.

  • 2959 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!