This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Troubleshooting GlobalProtect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Troubleshooting GlobalProtect

Go to solution
Nathan.S
L3 Networker

‎06-11-2018 08:36 AM

PA220, 8.1.1, GPClient 4.1.1, GP license activated. 

Connecting to the GPportal/gateway works fine. Traffic routes as expected. 
We're still testing, so access is severly limited and policies wide open once connected. Literally, everything is allowed for GP users. 
However, when i attempt to access an internal SSL-protected site, the traffic is denied. 
I can even change the rule to expressly allow SSL & web-browsing to that device and it still hits the DenyAll rule at the bottom. 

What am I missing in my setup?

0 Likes Likes
8 REPLIES 8

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Nathan.S

‎06-11-2018 11:51 AM

@Nathan.S,

Looking at your screenshot it looks like the log in question is being identified as looking for dst port 7443 right? Regardless the application-default port for SSL identified traffic is only 443; so if you want to allow it on 8443/7443 or whatever you need to actually specify that. As your current security policy is written this traffic doesn't match your policy. 

Go to solution
Nathan.S
L3 Networker
In response to BPry

‎06-11-2018 11:53 AM

Even though I have the apps set to 'any'?
huh. 
Let me look at the logs again, I'm pretty sure 443 traffic was failing too

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Nathan.S

‎06-11-2018 11:55 AM

@Nathan.S,

Yes; this is due to specifying the service as application-default. Since the app-id is being identified as 'ssl' the only default service that is going to be allowed is 443. 

Go to solution
Nathan.S
L3 Networker
In response to BPry

‎06-11-2018 11:56 AM

Hmm, okay. I'll test further and will update. 

Thank you for your help!

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks