cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

Cyber Elite
Cyber Elite

Hi @benball ,

 

This is very common with PAN-OS 8.1 and below.  Once the traffic is decrypted, the NGFW recognizes the decrypted application as web-browsing.  Web-browsing on tcp/443 does not match any of your rules and therefore is dropped by the interzone-default rule.

 

Create a new rule to allow web-browsing on service-https, and your configuration will work.  This means that you configured decryption correctly!  [Edit yet again.]  Now that you are decrypting traffic, your NGFW will recognize many more web apps like facebook, google, etc.  So, you may as well allow any app outbound on 443 until you decide if you will build a full whitelist.

 

PAN-OS 9.0 added secure ports to applications so that web-browsing with application-default will work with SSL decryption and you do not need to create a separate rule. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/fea...

 

Thanks,

 

Tom

 

PS You can also add the Decrypted column in the traffic logs to verify if the NGFW is decrypting traffic.

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

Who rated this post