Sure, I can expand on it as much as I can since I’m not a network services guy.
We’re currently using Palo Alto as our hardware firewall. With the two bigfix servers on the same subnet, we aren’t using PA between them, which allowed my to push out the relay update and other software to the secondary bigfix server. Basically the only difference between the relay server and the endpoint was the Palo Alto firewall.
Within the Palo Alto web gui, there’s a monitoring page where you can look at traffic, threats, etc. I had been working on getting firewall rules for various bigfix-related things since I was seeing “denies” from the bigfix server to the endpoint I was testing with. I got all of those resolved and was able to push the bigfix client to it about a week ago via the Deploy Tool.
Today I had the network services guys look more deeply into it and they found that Palo Alto was blocking Microsoft Portable Execution files which is/was our default due to our more locked down environment we have and was marking them as “threats”.
They created exceptions for those to the endpoints in this specific environment going both ways (from server to endpoint and from endpoint to server) since the download was failing when only one way was opened up. Allowing both ways made pushing out the fixlet successful.