About mart_e

Hi!   I had similar case between PA-3020 (PanOS 8.1.6) and Cyberoam firewall. Tunnel actually showed to be up (so phase 2 established), but no traffic was flowing through tunnel. I noticed in ikemgr.log (in debug mode) file following lines which hinted that some proposal is not suitable for this connection: [PERR]: { : 5}: not matched [PERR]: { : 5}: no suitable policy found. [ERR ]: { : 5}: failed to pre-process packet.    We had SHA256 in use for phase 2 and we changed this for SHA1- after this tunnel worked correctly and traffic went through it properly.     Märt ... View more

I do not have situation that nopsled has, but there is valid use case for use Minemeld over HTTP. From security perspective HTTP is definately not an option, but when you want to ensure the availability of Minemeld list in your firewall in EDL then Minemeld has to be up and running all the time. If Minemeld machine and thus Minemeld list for EDL is not available over HTTPS then EDL list seems to get emptyed. To avoid this situation and to make sure that firewall uses last successfully retrieved list HTTP has to be used. Here is exact information on this: "If the web server is unreachable, the firewall will use the last successfully retrieved list for enforcing policy until the connection is restored with the web server, but only if the list is not secured with SSL." Link for the resource is here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list ... View more