Skip to content

Palo Alto Networks (PAN-OS)

The RTA requires one outbound connection — OpenVPN over TCP/443 — to reach the testing infrastructure. PAN-OS NGFW features routinely break this even when port 443 is nominally permitted; follow all steps below.

Note

For the full background on why this connection is required and what traffic it carries, see the firewall troubleshooting overview and the RTA troubleshooting index.

1. Create an FQDN Address Object

PAN-OS resolves FQDN address objects continuously, so you do not need to allowlist individual IPs (the endpoint is fronted by AWS Global Accelerator and the IPs change).

  1. Navigate to Objects > Addresses and click Add.
  2. Set Name to something recognisable, e.g. rta-connect-endpoint.
  3. Set Type to FQDN.
  4. Enter the value:
connect.remotetesting.secureworks.com
  1. Click OK.

2. Create a Decryption Exception (No Decrypt)

SSL Forward Proxy intercepts TCP/443 sessions and attempts to re-sign the certificate. Because the RTA tunnel is OpenVPN — not HTTPS — this causes an immediate session reset. You must tell PAN-OS not to decrypt this destination.

  1. Navigate to Policies > Decryption and click Add.
  2. Give the rule a name such as no-decrypt-rta-connect.
  3. On the Destination tab, add the rta-connect-endpoint FQDN object.
  4. On the Options tab, set Action to No Decrypt.
  5. Place this rule above any existing SSL Forward Proxy decrypt rule so it matches first.
  6. Click OK.

Warning

If you use a custom URL category for your decrypt policy instead of address objects, add connect.remotetesting.secureworks.com to your "no-decrypt" URL category rather than (or in addition to) the address-object approach above.

3. Allow the Application in Security Policy

Even with decryption bypassed, App-ID may classify the OpenVPN flow as the openvpn application (or unknown-tcp / non-syn-tcp) and drop it under a deny-all default rule. Two options are available; Option A is recommended.

  1. Navigate to Policies > Security and click Add.
  2. Name the rule, e.g. allow-rta-openvpn.
  3. Source: set to the zone or subnet where the RTA appliance lives.
  4. Destination: set zone to your internet/untrust zone; add the rta-connect-endpoint address object.
  5. Application: add openvpn. As a safety net, also add ssl and unknown-tcp in case App-ID reclassifies during a content update.
  6. Service: set to application-default (which resolves to TCP/443 for openvpn) or create a custom service for tcp/443 if you prefer to be explicit.
  7. Action: Allow.
  8. Place the rule above any broad deny rules.
  9. Click OK.

Option B — Application Override (use only if Option A fails)

Application Override forces a specific flow to a named application, bypassing App-ID classification entirely.

Warning

Application Override disables App-ID and all threat inspection (IPS, AV, DNS Security) for the matched flow. Use this only as a last resort if App-ID continues to drop the session after Option A is configured.

  1. Navigate to Policies > Application Override and click Add.
  2. Source / Destination / Service: match on the RTA zone/subnet, the rta-connect-endpoint FQDN, and protocol TCP port 443.
  3. Application: choose an existing benign custom application or create one (e.g. rta-openvpn-override) of type TCP.
  4. Ensure a corresponding Security Policy allow rule permits this custom application.
  5. Click OK.

4. Commit and Verify

Commit

PAN-OS changes do not take effect until committed.

  1. Click Commit (top-right) and confirm.
  2. Wait for the commit to complete successfully before testing.

Verify connectivity

From a host on the same network segment as the RTA appliance, run:

nc -vz connect.remotetesting.secureworks.com 443

A successful result looks like:

Connection to connect.remotetesting.secureworks.com port 443 [tcp/https] succeeded!

If the connection succeeds, power on (or restart) the RTA and confirm the tunnel comes up and stays up in the RTA management interface.

Check the logs

In Monitor > Logs > Traffic, filter on:

( addr.dst in connect.remotetesting.secureworks.com )
  • The Application column should show openvpn (not incomplete or unknown-tcp with a deny action).
  • In Monitor > Logs > Decryption, confirm no sessions to this destination show a decrypt action.

Tip

If you see repeated session-end-reason: policy-deny entries, re-check that the Security Policy rule is positioned above the deny-all rule and that the commit completed without errors.