topic Re: url_filtering problem in General Topics

url_filtering problem

johan.boeckx — Sat, 15 Nov 2014 09:17:00 GMT

HI all,

We have a cluster of 2xPA3050, for protection to untrusted zone. Last week we enabled the trial license for url_filtering. Since that moment we have met a special problem. We use a citrix application over ssl in the cloud. This citrix server is perfectly reachable, but after the authentication, the application seems to hang. We disabled all rules referring to url_filter categories, so there is no reference in the policy to url-filter. Nevertheless, with the license enabled, the citrix application doesn't work. There is no reference in the monitor tab/logs that something is dropped. By doing a packet capture, we only see an rst tcp reset from the other side, but nothing seems to be dropped or logged.

Anybody knows how I can troubleshoot this ? Is there a possibility that with activating the pan-db database in the licenses, without activating any rules, that there is an interception on ssl traffic ?

We have panos6.1, url_filtering, also global protect is enabled. Ssl decription is not enabled.

Thanks and greetz,

Johan

Re: url_filtering problem

bat — Sat, 15 Nov 2014 09:19:47 GMT

Hi johan.boeckx

Do you see any session in discard state for the concerned IP address, you can look at it using : show session all filter state discard source <ip-address> ?

Also can you compare the TTL value in RST packet that you are seeing with TTL that you see in any other packet from the source ?

Hope it helps !

Re: url_filtering problem

johan.boeckx — Sat, 15 Nov 2014 12:56:38 GMT

HI,

Thanks for the answer. I checked the session based on the source as on the destination. Both there were no active sessions

admin@FW01CO(active)> show session all filter state discard source 10.104.0.8

No Active Sessions

admin@FW01CO(active)> show session all filter state discard source 10.104.0.8

No Active Sessions

admin@FW01CO(active)> show session all filter state discard destination 193.109.234.40

No Active Sessions

admin@FW01CO(active)> show session all filter state discard destination 193.109.234.43

No Active Sessions

Re: url_filtering problem

HULK — Sat, 15 Nov 2014 14:58:11 GMT

Hello Johan,

Could you please try to clear URL cache from this PA firewall.

>clear url-cache all

>delete dymanic –url host all

Even after applying above command, issue persists, then apply below command. ( it will not impact to your production traffic)

>debug software restart device-server

Hope this helps.

Re: url_filtering problem

johan.boeckx — Sun, 16 Nov 2014 11:57:33 GMT

I tried this, but didnt gave any result. I digged a bit deeper and read number of Palo alto docs regarding flow_tcp_non_syn_drop, which I had a lot. This is related to assymetric routing. Strange is that we dont have assymetric routing, but since this webside is in the cloud, the problem can have originated on the internet. Anyway, I disabled the TCP - reject non-SYN first packet: from true to false. Now,a number of applications work on this cloud based site, only not the citrix related, tunneled through ssl.Nothing is blocked through policies.

Re: url_filtering problem

rkcchaitu — Mon, 04 Feb 2019 12:18:16 GMT

Just curious to know,how the problem is resolved