Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
04-02-2017 05:02 AM
I have a weird problem. I installed a VM100 connected via PPPoE to the ISP, standard NAT, DHCP configured on the LAN side.
Issue: unable to receive/send emails from iPhone from SOME providers using inherid IOS app:
PS: Web browsing is fine and even my SIP Trunk is working.
Any ideas? I have set MTU to 1480 on the WAN interface. which was my first thought...
Thanks!
04-02-2017 06:51 AM
Turns out iCloud and gmail are using non-standard ports. I had to change the policy (Policies -> Security) from:
- Application: application_default
.to.
- Application: any
I suppose I could have tweeked the application_default to allow the gmail and icloud custom ports too. That will be my next step. However, it is working with any. It looks like there was a change on 7.1:
04-02-2017 06:51 AM
Turns out iCloud and gmail are using non-standard ports. I had to change the policy (Policies -> Security) from:
- Application: application_default
.to.
- Application: any
I suppose I could have tweeked the application_default to allow the gmail and icloud custom ports too. That will be my next step. However, it is working with any. It looks like there was a change on 7.1:
12-09-2022 11:07 AM
If you're still around, @Hwinter , I wanted to let you know that this old note saved a stranger a bunch of time in the year 2022. Thanks!
It'd be great if someone could explain to me how or why traffic that was blocked for being on a non-standard port didn't make into the Traffic log as thusly denied. Is there something I can configure to see traffic that is blocked because an app is using a non-standard port?
12-09-2022 02:16 PM - edited 12-09-2022 02:19 PM
@LRCAIT The default "intrazone-default" and "interzone-default" Security policies do not log by default, the interzone policy denies traffic. So if you have allow rules for an Application(s) with "application-default" Service and you do not have your own deny-everything-else Security policy, then the traffic falls thru to the "interzone-default" rule and is blocked without logging. Additionally, if you do have a deny-everything rule, but the Service in the rule is set to "application-default" (with an "any" Application) then you deny rule also won't match as the traffic may have been identified as an application that is on a non-standard port.
You can update these 2 built-in PaloAlto rules to log by selecting from the policy list and clicking "Override" at the bottom. Then edit to log traffic to your Log Forwarding profile.
12-09-2022 02:47 PM
Thanks, @Adrian_Jensen. Makes perfect sense. This also explains why I kept seeing the default interzone rule hit counts increment, even though I had a deny-all interzone rule ahead of it that for logging purposes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
