About Remo

Remo · ‎04-03-2018

@OMatlock Another option would be path monitoring for a static route. This feature definately does not require HA to be enabled. The documentation about this feature you can find here: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/static-routes/configure-path-monitoring-for-a-static-route (This link points to PAN-OS 8.1 but in PAN-OS 8.0 it is the same)

Remo · ‎04-02-2018

It's not very likely, because you tested with different internet access, but it still might be related to MTU mismatch issues. TLS connection don't like fragmentation. But there are quite a few other things that are part of the game here: PAN-OS 7.1.10: maybe a bug with the decryption performance? GP Agent version: versions 4.0.3/4/5 has a bug where fragmented udp packets were dropped - may be related if you use chrome for download tests that was connection to the servers with TLS over UDP MTU/MSS mismatch issues Do you use the same firewall also for other things? Like TLS forward proxy or TLS inbound inspection, so the firewall was already busy with other things when you did your test

Remo · ‎04-02-2018

But regarding your question: no, there is no automatic fallback to IPSec. After a network change or a manual network rediscovery where the connection needs to be reestablished, GP will try again first wirh IPsec. And may be even there GP stays with TLS, if you have configured a reconnect time where GP client is allowed to reconnect to an existing session.

Remo · ‎04-02-2018

What hardware are you using (GP gateway)? Is it 10mbps constantly or more an up and down with peaks at 10mbps?

Remo · ‎04-02-2018

@jdprovine It now only depends on how much effort you want to spend to get rid of some or most of these warnings, as there is no easy checkbox to ignore and hide these. In the example for google play you could analyze what URLs you have in that rule alllwing google play. With these rules you then create a custom URL category and add this category to the google-play rule in addition to the application ssl and google-base. This way the warning should be gone and you do not allow general internet access. This method probably also works with webex and spotify for example. To even further limit it, you could also specify ip addresses. At least for the google rule this is possible, as google publishes all their IP ranges. For the other two examples I don't know.

Remo · ‎04-02-2018

@jdprovine I absolutely agree. In some cases it's not only annoying, it of course also obscure real warnings and errors. So a feature like a simple checkbox "ignore application dependencies" in the commit status would be helpful.

Remo · ‎04-02-2018

It really depends on the actual use case. When you have a general webaccess rule that allows users to browse the internet, then it's not a big deal. If you don't allow internet access but you want to allow webex for example, then it is quite a difference if you also allow ssl or not. The "issue" is that the description might let others think they really NEED to allow the dependencies to make the rule work while it is not needed. It's just not only a binary decition we have here. But for everyone who knows what they are doing, these commit warnings are annoying. But at least the initial question if there is a way to ignore/hide/whatever these warnings is answered - there isn't a way.

Remo · ‎04-02-2018

Did you configure 8.8.8.8 as DNS server in the deviceconfig?

Remo · ‎04-02-2018

In this case you can simply add the required categories directly into your security policy rule (in the WebUI this is located on the same tab where you add a service) and then configure the action to drop.

Remo · ‎04-02-2018

The linkorder at google changed ... anyway ... did you try this command: show system setting ssl-decrypt memory But upgrading is anyway a good idea 😉

Remo · ‎04-02-2018

http://bfy.tw/HQZL On the search result page it's the first link that will get you to the command to check proxy memory. But to check exactly if you expetience this bug, you should open a TAC case.

Remo · ‎04-01-2018

Did you check the Global protect logs for errors? Or may be before further troubleshooting: could you try with 4.0.7 first?

Remo · ‎04-01-2018

What MacOS version?

Remo · ‎03-31-2018

@MagicinSKY Do you have other VPN software installed on your computer? And/or may be some other software that conflicts with the GP driver or is this a newly installed win8.1 without additional software?

Remo · ‎03-31-2018

Hi @CastawayKid In a normal situation the url filtering log would be a good start. Even better would be to use the unified log view in such a case, as it shows all logtypes in one view. This way you probably see the problem way earlier than searching through the diffetent logs independently. The "issue" you are facing here is a little more complex, because there actually is no other log entry than the one in your screenshot. If you really want to know what happens you need to dig deeper: with packet captures to check what the client and server actually send and with a flow basic analysis so see what the firewall is doing with the server and/or client traffic. But for exactly this situation I already created a TAC case a while ago and the reason simply is: there is a decryption problem happening here. Because of some reason the firewall is not able to decrypt this session, so the traffic (action allow comes from the security policy) is denied by the decryption policy. Regards, Remo PS: The actual answer from TAC I have posted here (the last post in this topic): https://live.paloaltonetworks.com/t5/General-Topics/Action-and-Session-End-Reason-conflict-when-SSL-decryption/m-p/163593#M52946

Member Since	‎03-20-2013 04:23 AM
Date Last Visited	‎11-26-2025 01:29 PM
Posts	2,247
Total Likes Received	806

Online Status	Offline
Date Last Visited	‎11-26-2025 01:29 PM

About Remo

Re: Certificate Expired Warning in Deploy but all certificates are good

Re: How to request a URL filtering change to High-Risk?

Re: Template vs Device Group

Re: sorting question

Re: Panorama Disk

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Bad support from plaoalto

Re: Activate Firewall with Expired License / Unknown Auth Code

Re: Wait time

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Active-Passive pair takes long to show the status when one is rebooted.

Re: sorting question

Re: Deal Registration End Customer Details not Include

Re: Enable Qos on sub-interface

Firewallcrash because of Application cloud Engine (ACE)

Re: Admin console unreachable/cant remote in or ping - PA support wont let you submit a ticket without a TSF file - which you get via admin console

Re: How to request a URL filtering change to High-Risk?

Re: Log Container Page Only - impact?

Re: Stop wsc files

Re: Customer Support Portal error

Nominated Discussion - Sorting Question

Nominated Discussion: URL Filtering in TLS v1.3

How to Add Log Forwarding Profiles in All Security Policies

Re: General Interface status?

Re: Global Protect IPSec/SSL

Re: Global Protect IPSec/SSL

Re: Global Protect IPSec/SSL

Re: commit status warning on rules that are working the way I want them too

Re: commit status warning on rules that are working the way I want them too

Re: commit status warning on rules that are working the way I want them too

Re: DNS not working

Re: URL Filtering with no block page

Re: Authentication error Gprotect

Re: Authentication error Gprotect

Re: When I press "Connect" button nothing happens

Re: When I press "Connect" button nothing happens

Re: Seek for help: Failure to use Global Protect VPN

Re: Identify Policy Deny Source

Seattle Beta - GlobalProtect (ELK)

Unlock your full community experience!

About Remo