Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-30-2021 08:38 PM - edited 10-30-2021 08:58 PM
Hi @benball ,
This is very common with PAN-OS 8.1 and below. Once the traffic is decrypted, the NGFW recognizes the decrypted application as web-browsing. Web-browsing on tcp/443 does not match any of your rules and therefore is dropped by the interzone-default rule.
Create a new rule to allow web-browsing on service-https, and your configuration will work. This means that you configured decryption correctly! [Edit yet again.] Now that you are decrypting traffic, your NGFW will recognize many more web apps like facebook, google, etc. So, you may as well allow any app outbound on 443 until you decide if you will build a full whitelist.
PAN-OS 9.0 added secure ports to applications so that web-browsing with application-default will work with SSL decryption and you do not need to create a separate rule. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes/pan-os-9-0-release-information/fea...
Thanks,
Tom
PS You can also add the Decrypted column in the traffic logs to verify if the NGFW is decrypting traffic.
