I'm running 4.1.10. In order for the PAN to accept client connections (I'm binding the portal to the "outside" interface) I had to create a security rule - "outside zone to outside zone, destination the external interface of the PAN, apps - SSL, web browsing, and panos-global-protect, services http (80) and https (433)." Without this rule clients were not able to connect. BUT this has to do with the fact that I have an explicit deny rule at the bottom of my policy for logging purposes. So, in my case I need to create explicit zone to zone rules (I didn't recreate the hidden same zone to same zone allow rule - this is by design).
... View more