About gwesson

  Bi-directional NAT rules create 2 different NAT policies, even though one rule is in place. That may be tripping you up.   You can see all the rules in place (not including disabled rules) with the CLI command: > show running nat-policy   If you want to only see the rule numbers themselves, add a match criteria such as: > show running nat-policy | match index   That will spit out only the index numbers of the rules.    ... View more

  It's permanent, but does not survive a reboot:   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/temporarily-disable-ssl-decryption.html   Once you reboot the firewall, the setting is gone. Also, it's not part of the config so it won't show up in your running-config.xml file. ... View more

SAML was introduced in PAN-OS 8.0 and is supported on 8.1 as well. Support on the GP side includes version 4.0, but that version is almost End of Life (January 30, 2019), so I'd recommend GlobalProtect version 4.1. ... View more

Yes, it's normal.   In an Active/Passive environment, the passive firewall only receives data from the active and does not generally send any data to the active. It's not handling any sessions itself, so there's nothing to send to the active.   The logs are pretty verbose at times, so you're just seeing a statement that the passive went through a routine to send something to the peer but because it was in the passive state it didn't send. Totally normal, nothing to worry about. You can check the active at the same timestamp and might see what was actually synched. ... View more

If you haven't seen it yet, check out the inline help options built into the firewall and Panorama. There, you'll see some very helpful info including the answer to this question:     Report Benign Files When this option is enabled (disabled by default), files analyzed by WildFire that are determined to be benign will appear in the Monitor > WildFire Submissions log. Even if this option is enabled on the firewall, email links that WildFire deems benign will not be logged because of the potential quantity of links processed.   Report Grayware Files When this option is enabled (disabled by default), files analyzed by WildFire that are determined to be grayware will appear in the Monitor > WildFire Submissions log. - Even if this option is enabled on the firewall, email links that WildFire determines to be grayware will not be logged because of the potential quantity of links processed.    ... View more

The session you pasted before was on port 443, so the port 80 allowance wouldn't have helped this session:     Session 33880958 c2s flow: source: 10.29.32.146 [_DMZ] dst: 65.55.163.76 proto: 6 sport: 59760 dport: 443   If I had to hazard a guess, it was probably the destination blocks that were in place. But since you do have a next-gen firewall, if you are seeing TLS(ssl) traffic on port 80, the firewall will still know it's TLS and will try to display the block page if it's denied.   ... View more

This is because that session was denied for some reason in your security policy.     Session 33880958 ... tracker stage firewall : proxy decrypt failure end-reason : policy-deny   This article talks about the setup to ensure that a deny page is displayed (instead of a generic connection error). Your firewall has likely enabled that config, but was unable to display the page to the client. It could be as simple as the client not trusting the cert, which would make sense if you haven't set up decryption for your userbase. ... View more