This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA blocks outbound port 10443, doesn't show up in logs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA blocks outbound port 10443, doesn't show up in logs

dclark1
L1 Bithead

‎04-25-2016 07:41 AM

I have and external website that I need to access on port 10443: https://<public IP>:10443. The connection never completes and times out. 

 

If I pull the PA FW out and throw in an ASA, works just fine. The logs on PA don't even show port 10443 being accessed or logged.

 

No matter what log I check, I find nothing.

 

Any idea?

 

Thx

0 Likes Likes
8 REPLIES 8

bmorris1
L4 Transporter

‎04-25-2016 07:54 AM

Hello,

 

Have you tried running a packet capture & global counters to check for any drops/reasons for drops? Is there any asymmetric routing in your network?

 

How to run a capture -

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390

 

Global counters -

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CL...

 

hope this helps!

Ben

0 Likes Likes

pankaku
L5 Sessionator

‎04-25-2016 01:06 PM

What's PAN-OS version on firewall?

 

Check the application and service tab. Try to make application as ssl and keep service as any. Check if works or not.

0 Likes Likes

santonic
L6 Presenter

‎04-25-2016 11:54 PM

Are you logging everything? Find a rule that should allow or drop the mentioned traffic and see if it's set to logging.

0 Likes Likes

santonic
L6 Presenter
In response to santonic

‎04-25-2016 11:57 PM

Also make sure that your only drop rule isn't the implicit one: interzone-default. That rule doesn't log. I always make a default drop rule which logs above implicit rules.

0 Likes Likes

dclark1
L1 Bithead
In response to santonic

‎04-26-2016 05:07 AM

Good idea on the drop rule. It's a very basic setup, and all rules log start and end of session. Capture logs show retransmissions, and traffic is getting to device.

 

Additionally another app that uses SSL over a non stanard port also did not work. Swapped PA with an ASA and both apps worked.....definatley something on the PA.

 

INFO:

PA-VM-100

Pan-OS: 7.1.1

All other software up to date.

 

Thx

0 Likes Likes

santonic
L6 Presenter
In response to dclark1

‎04-26-2016 05:43 AM

So did you find this traffic in logs? If all rules are set to logging then you must see it. If you still don't see it then it's dropped by implicit rule.

0 Likes Likes

dclark1
L1 Bithead
In response to santonic

‎04-26-2016 09:54 AM

Good call santonic on the deny rule.....it was getting caught in the implict rule. Adjusted regular rule and all is good.

 

 

Thx guys....

0 Likes Likes

santonic
L6 Presenter
In response to dclark1

‎04-27-2016 11:04 PM

No problem.

0 Likes Likes
  • 3581 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks