About froggyj

I have the following scenario I came across and just curious if this is expected behavior. It is recommended when "whitelisting" and application to use the application-default service (so it only works on its default port), or if you are "blacklisting" to use the service "any" (to block the app on any port used). I'm not so sure this works using groups though? Here is an example: Rule 1 - Allowed Exception During Lunch - YouTube - application-default - ALLOW Rule 2 - Whitelist - Application Group which includes SSL etc... - application-default - ALLOW Rule 3 - Blacklist - Application Group to Deny which includes SSL as part of a filter - any  - DENY<--use ANY service for deny rules When I try to commit it gives me a warning that YouTube has a dependency of SSL, which is denied by the Blacklist rule. This doesn't make sense as SSL is allowed in rule 2 so therefore in my mind it "should" work. What am I missing? and when using application groups do you have to leave the service as "any" or can you use the application-default just fine and if you have a list of 5 applications, each one of those will only work on its respective default port. ... View more

I have upgraded several devices from 5.0.8, but of course the last one has to give me grief. Since upgrading from 5.0.8 to 6.0.1, I can no longer ssh or https to the management port (or any other interface on the firewall). The only way I can get on the box is to ssh to a router that is directly connected, then ssh from there to the firewall (PA3020). Once I got on there I did restart it again for good measure but nothing changed. Verified there is no asymmetric routing issue and verified "show deviceconfig system service" that https is not disabled. I also changed http to not disabled and I can't access it even through http so it's not protocol specific or certificate related etc....Nothing else has changed, just a routine upgrade like every other site, but I'm getting stumped for ideas. I spend 2+ hours on the phone with TAC and got nowhere, now waiting for the next tier....so thought I would throw it out there to the community in case someone has come across this scenario. ... View more

We upgraded our PA5020 from 5.07 to 6.0.1 to utilize TLS 1.2 to handle decryption but as a result we have created an issue with our phones. We have a couple call managers behind the PA5020's at our data center and several branch offices around the world that rely on them. The branch MGCP gateway uses UDP 2427 to send notification messages and TCP 2428 to handle call setup etc....When we place an outbound call from a branch, the phone (Cisco 8961) works fine for approx 23 seconds and then goes into preservation mode, which keeps the call connected in a "fail over" state however phone features like hold, transfer etc no longer work. When we do a packet capture we can see the UDP 2427 MGCP packets being dropped and then subsequent retries and then at which time the call manager assumes it has lost connectivity to the MGCP gateway and the phone goes into preservation mode. Here are some things we have done thus far: -created a rule to allow everything from anywhere going to anywhere to ensure there was no policy causing an issue -since these are SIP phones we disabled SIP ALG, but it's not the SIP portion that has an issue, so no change -created an application override for MGCP with UDP and TCP ports 0-65535 for good measure and still the packets are dropped We do have a call in with TAC, but since this is affecting every branch, it's getting a little warm under the collar. We may have no choice but to revert back to 5.x but thought I would throw it out there to the community in case someone has some other ideas we can try. ... View more