PA blocks outbound port 10443, doesn't show up in logs

Reply
L1 Bithead

PA blocks outbound port 10443, doesn't show up in logs

I have and external website that I need to access on port 10443: https://<public IP>:10443. The connection never completes and times out. 

 

If I pull the PA FW out and throw in an ASA, works just fine. The logs on PA don't even show port 10443 being accessed or logged.

 

No matter what log I check, I find nothing.

 

Any idea?

 

Thx

L4 Transporter

Hello,

 

Have you tried running a packet capture & global counters to check for any drops/reasons for drops? Is there any asymmetric routing in your network?

 

How to run a capture -

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390

 

Global counters -

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Troubleshoot-Using-Counters-via-the-CL...

 

hope this helps!

Ben

L5 Sessionator

What's PAN-OS version on firewall?

 

Check the application and service tab. Try to make application as ssl and keep service as any. Check if works or not.

L5 Sessionator

Are you logging everything? Find a rule that should allow or drop the mentioned traffic and see if it's set to logging.

L5 Sessionator

Also make sure that your only drop rule isn't the implicit one: interzone-default. That rule doesn't log. I always make a default drop rule which logs above implicit rules.

L1 Bithead

Good idea on the drop rule. It's a very basic setup, and all rules log start and end of session. Capture logs show retransmissions, and traffic is getting to device.

 

Additionally another app that uses SSL over a non stanard port also did not work. Swapped PA with an ASA and both apps worked.....definatley something on the PA.

 

INFO:

PA-VM-100

Pan-OS: 7.1.1

All other software up to date.

 

Thx

L5 Sessionator

So did you find this traffic in logs? If all rules are set to logging then you must see it. If you still don't see it then it's dropped by implicit rule.

L1 Bithead

Good call santonic on the deny rule.....it was getting caught in the implict rule. Adjusted regular rule and all is good.

 

 

Thx guys....

L5 Sessionator

No problem.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!