About gwesson

Thanks for that info.    Last question: If you browse to Device tab > GlobalProtect Client, on the 4.1.6 row, does the Action column show "Activate", "Download", or "Reactivate"? If it's Reactivate, I am not sure why the upgrade isn't happening. If it's just "Activate", then 4.1.6 has been downloaded but not activated yet and you'll need to hit Activate to make it the active version.   As long as your client is connecting to the gateway, it should be fine. ... View more

It looks like you've excluded all of the lower case matches from your groups (your first example had a-zA-Z0-9). The parenthesis are also not needed, since you're not storing the values to capture groups. Try this:   blablaa[a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9] ... View more

That's correct. The "SSL_CLIENT_CERT" means that the site is doing certificate-based client authentication.   A client cert can't be spoofed because you cannot generate a client cert on the fly that matches the CA requested by the server, so the firewall adds it to the exclude cache. ... View more

Try re-enabling the profiles one at a time (start with URL filtering, commit; then add antivirus, commit...). Eventually you'll enable the profile that is causing the drops, and you should be able to find it there.   While the session is active, you can also check for sessions that match your IPTV's address (show session all match source 192.0.2.1...). If you see any sessions set to Discard state, review that session (show session id 12345678) to see the reason.   Beyond Traffic, URL, and Threat there Data Filtering logs (corresponding to File Blocking profiles) and Wildfire submissions. It may be a profile that you're using that you may not expect to drop the traffic. ... View more

What you're referring to is called a Challenge ACK, described in RFC-5961 (Section 4).   In a nutshell, it states that if a new SYN is received the server should respond with a new ACK with the most recently sent acknowledgement number as you see. The client will send the reset, which (if it makes it to the server) should free the socket on the server allowing another new SYN to be sent.   The RFC is explicit about this (4.2): 1) If the SYN bit is set, irrespective of the sequence number, TCP MUST send an ACK (also referred to as challenge ACK) to the remote peer: <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK> After sending the acknowledgment, TCP MUST drop the unacceptable segment and stop processing further.   Dropping the RST is actually an intended behavior. While it breaks the Challenge ACK mechanism, it prevents out-of-band spoofed addresses from correctly guessing the 4-tupple and killing the connection prematurely.   Starting with PAN-OS 8.0.7 (and higher, also included in all versions of 8.1) you would need to enter the following commands:     > configure # set deviceconfig setting tcp allow-challenge-ack yes  # commit   That is a global setting, so you can't apply it for just one set of devices. Keep in mind that it also removes the mitigation for a spoofed RST in the current TCP receive window, but that is a pretty tough thing to guess. ... View more