hi, thx fro quick reply. by adding google-base app ID in security policy, do you mean: edit the rule in question, go to the application tab, and add google base under the applications? If so, that is tedious and leads me down the application rabbit hole. then for each thing that should be working with SSL, but has some sort of custom application, i have to had that one - and then another one, and another, etc. pretty soon have 10's or more of these pre-made applications, just running over SSL. I just want to allow anything running on ssl. And that doesn't seem to work.
... View more
so i have this dual personality thing going on with the PA firewall and am learning, so this might be an easy one. I kind of dont like the requirement to create "application" based rules and then back them up with "service-based" rules. I had this security policy in place and was playing with it: RULEBASE1 (old working rulebase): user2internet allow service-https & service-http (service-based rule) user2internet allow ftp, ntp, ping (application-based rule) RULEBASE2 (new rulebase, trying to migrate to all application base): user2internet allow service-http (service-based rule) user2internet allow ftp, ntp, ssl, ping (application-based rule) my thinking is any https website should use SSL, right? So if i go to a secure site with rulebase1, im using line 1; with rulebase2, i use line 2. Both rules work fine most of the time. in fact rulebase1 is the months-old config so its a fine rule. rulebase2 - not so much! under rulebase2, many ssl-enabled websites load, but funny thing: https://www.google.com doesnt load. I get some sort of connection reset message - i think from the PA firewall. what's up here? Why is google special? What other sites wont work under rulebase2? how do I work around this? NOTE: I'm not going to get nickel & dimed by configuring every SSL application under the sun, that a normal use may want to use on the internet. So things like google-base (SSL) will remain unconfigured, but I suspect this has something to do with the problem. maybe big companies, which are special, have their own defined pre-canned PA applications and for some reason, if the PA sees this riding on top of SSL, it still denies the connection - unless that sub-type application (under SSL), is also configured?
... View more