Issues with Captive Portal / Continue URL Filtering Response page on 10.1.12

NeonNetSec — Wed, 01 May 2024 18:36:43 GMT

Upgraded 30 days ago to 10.1.12.
~14 days ago started getting complains from users that sites are broken - getting "site cannot be reached".
Sites that cannot be reached are site we specifically have "continue" action in our URL Filtering profile for
Changing "continue" to either "alert" or "allow" fixes the issue
Tested verting our "continue" Response Page back to Palo predefined default - issue persists when action is "continue"
Broken sites show a redirect to :6080
Traffic logs show 6080 traffic aged-out
Session log shows active captive-portal sessions for that traffic
Issue appears to be worsening (started w/ 1 particular site, more and more reports, another firewall affected, ...)

Any one experience this? Palo TAC says other customers are complaining about similar issue, feels like a PanOS bug but they will not commit to that yet.

EDIT:
also worth noting - I see the Captive Portal service is not healthy on this problem firewall. I tried restarting it, but no difference -

> debug software restart process l3-service
> show system software status | match l3svc
Process l3svc stopping (pid: -1) - User Stop

Judging by the fact that the browser shows :6080 when "site cannot be reached", I have a hunch this is the issue..

EDIT 2: solved - hung l3-svc was the issue. HA failing to an HA peer that had a "running" l3-svc immediately cleared up the issue.

Unfortunately during this maintenance we uncovered a whole new issue/behavior in that, when we rebooted a suspended Passive HA peer, it came back totally borked and HA is just constantly flapping. Working w/ Palo TAC on this now..

topic Issues with Captive Portal / Continue URL Filtering Response page on 10.1.12 in Next-Generation Firewall Discussions

Issues with Captive Portal / Continue URL Filtering Response page on 10.1.12