05-14-2017 09:54 PM
Hi
Still a beginer with the PA.
I have a universal rule that allows from
any zone
my internal ip address
to
ip address group that has by proxy addresses in it.
For applicaiton I have
http-proxy - this covers a lot of ports
default urls
from my test box I try
wget -O /dev/null http://www.smh.com.au
this works !!!
wget -O /dev/null http://www.google.com
fails, when i look in the traffic logs I see that the PA have identified that the application is google-base.
so I add in google-basic, infact I include a application filter of general-internet
try that it fails.
I then set service to any not application default and now it works
But doesn't this now mean I can connect to my squid box on any port ????
How am I supposed to configure this ?
05-14-2017 10:17 PM
Actually even worse than this ....
the standard ports of the other applicaitons are allowed to the proxy
so for example msn-file-transfer allows 1025-65535 ... so now all these ports are allowed to the proxy !!!
05-15-2017 11:59 PM
For the record, its just me.
I had to set the service ports as well.
All working well now
05-16-2017 08:25 PM
To answer your question "so for example msn-file-transfer allows 1025-65535 ... so now all these ports are allowed to the proxy !!!"
No it is not the case.
Some applications use wide range of ports so SYN/SYN-ACK/ACK must be permitted through. When real communication starts then Palo can identify if it is really msn-file-transfer or not. If not then session is dropped.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
