06-11-2018 08:36 AM
PA220, 8.1.1, GPClient 4.1.1, GP license activated.
Connecting to the GPportal/gateway works fine. Traffic routes as expected.
We're still testing, so access is severly limited and policies wide open once connected. Literally, everything is allowed for GP users.
However, when i attempt to access an internal SSL-protected site, the traffic is denied.
I can even change the rule to expressly allow SSL & web-browsing to that device and it still hits the DenyAll rule at the bottom.
What am I missing in my setup?
06-11-2018 11:51 AM
Looking at your screenshot it looks like the log in question is being identified as looking for dst port 7443 right? Regardless the application-default port for SSL identified traffic is only 443; so if you want to allow it on 8443/7443 or whatever you need to actually specify that. As your current security policy is written this traffic doesn't match your policy.
06-11-2018 08:38 AM
Can you share screenshot of permit rule and denied log entry.
Most likely zone or user/group mismatch.
06-11-2018 11:18 AM
Aside from what @Raido_Rattameister already mentioned I would also look at the logs and verify that it's being seen on a default port and that the application is getting identified. There's a lot of little gotcha's here that can get in the way of this working properly.
It's showing on the correct port (443 and 8443 is what I was looking at) and being IDd as SSL traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!