05-07-2024 10:18 AM - edited 05-07-2024 10:30 AM
Since updating to PAN-OS 10.2.8 (and subsequently 10.2.9-h1), we've had numerous complaints of slow website access. Outside of the firewall it works fine.
I've since narrowed it down to a problem or issue with the URL Filtering Inline Categorization engine. Is there a way to troubleshoot what the hang-up is? Logs seem to tell me very little and when I do a packet trace I just see a series of attempts by the client browser to get a response from the server.
Without the issue access is near instantaneous but on some sites, with the filter enabled, the site takes 2-3 minutes to show up and you cans see in the packet capture as well as monitoring in the web browser there are distinct pauses of multiples of 15 seconds such as 15 and 45 second pauses before getting additional information.
Any ideas?
We do NOT have our URL White List category added as an exception to the Inline filter and perhaps we should. It has never been an issue until now however. (I should add this particular site I've been testing with is White Listed but there of course are many that are not so an exception here isn't exactly a solution.)
05-07-2024 11:36 AM
I looked through the release notes and couldn't find anything. My suggestion would be to open a support case.
I have multiple 3410s/20s running 10.2.7-h8 and we've had no reports of any website slowness.
05-07-2024 11:40 AM
Thanks. I have an active case open but its taking some time to work through so thought I'd pose the question in case someone here has run into it before. Hopefully we'll find the root cause and can get it fixed.
05-08-2024 12:39 PM
In case anyone else runs into this, after speaking with Palo, this is a known issue engineers are working on that started with PAN-OS 10.2.8 and will manifest itself when decryption is active alongside the Inline Cloud URL Categorization engine.
Couple workarounds:
1 - Change your Content Cloud Setting service URL to the country directly you are in - in my case it was us.hawkeye.services-edge.paloaltonetworks.com.
2 - Use a custom URL list (in my case my whitelist) and add it the exception list under the URL categorization exception list for the inline inline function in your URL profile. (I guess putting your whitelist here is a best practice?)
3 - Turn off Inline Cloud Categorization completely
Oddly enough, despite this being related to the decryption engine in some way, putting the site in the decryption exclusion list didn't help where it has in the past which led me down the wrong path to begin with.
If you need to, refer to PAN-253468 if you end up speaking to an engineer at Palo as that is what this problem is logged under.
05-08-2024 01:14 PM
https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevent... has region specific cloud connection FQDN's listed in Step 9 under PAN-OS.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
