topic Website issue. in General Topics

Website issue.

AzerbaijanSupermarkets — Mon, 15 Oct 2018 06:07:36 GMT

Hi to everyone!

We have one site - halqa.az, which I can't give access to.

I have permitted everything on policies, permitted everything on decryption, still no success.

What should be else permitted? Maybe some of you will be able to help me.

Maybe there is any timeout issue or anything else.

Re: Website issue.

LukeBullimore — Mon, 15 Oct 2018 16:26:58 GMT

PAN-DB categorizes halqa.az as Insufficient Content (https://urlfiltering.paloaltonetworks.com) - which you may be blocking. Can you check for any blocks in the URL Filtering Log?

Re: Website issue.

AzerbaijanSupermarkets — Tue, 16 Oct 2018 09:01:22 GMT

Good day!

There are no logs. Only timeouts. This site is some kind of test page.

Re: Website issue.

AzerbaijanSupermarkets — Tue, 16 Oct 2018 11:05:34 GMT

also there are such kind of logs - incomplete and aged-out.

this public ip is an ip of this server(halqa.az).

Re: Website issue.

OtakarKlier — Tue, 16 Oct 2018 16:14:47 GMT

Hello,

Edit the columns to include 'Log Subtype'. I have see that sometimes this will be deny and the action is allow. To adjust the columns view, hover the mouse above one of the title fileds and click the down arrow. Then you can select the one you want.

Regards,

Re: Website issue.

Sandeep_R — Mon, 17 Dec 2018 13:11:41 GMT

Hello ,

I faced a similar issue where the the website was not accessible when the traffic goes via Paloalto device. But the website is accessible from other network without PA.

This may be due to the packets from the web Server not having the window-scale information inside TCP packets. Paloalto will by default drop such TCP packets even though traffic is allowed in security policy.

For this you can check the TCP settings in Device--> Setup--> Session--> TCP Settings, change the Asymmetric path to bypass ( By default it will be drop )

It worked for me..

This will be the mis configuration in Web Server. If the Window-Scale details are not seen in TCP packets from Server reply, paloalto considers it as a asymmetric reply and will drop.

we can configure the Zone protection profile as well on the Untrust zone as well under ZoneProtection profile --> add --> Packet based Attack Protection -- TCP Drop --> Asymmetric Drop --> Bypass. And call this profile in Zone

But as a security best practice this is not recommended as it might give chance to attacks like IP spoofing and sequence number prediction.

We cannot have IP based or URL based bypass for this kind of issue.

Hope this helps... 🙂 🙂

Regards,

Sandeep

Re: Website issue.

Rikkert_Kooy — Mon, 17 Dec 2018 15:04:45 GMT

@Sandeep_R:

Are you sure that window-scale information missing is solved by bypassing Assymmetric path? Because asymmetric routing should just be the fact that path from client to server isn't mirrored for the path from server to client (for example traffic from client to server does go through the firewall, but for server to client it doesn't)

@AzerbaijanSupermarkets:

When you click in the traffic log on the traffic from your client to the server, do you only see packets received or also sent?

And possibly stupid question, but are you sure your traffic from your public ip isn't being dropped on their end?

Re: Website issue.

Raido_Rattameister — Mon, 17 Dec 2018 16:26:25 GMT

halqa.az resolves to 85.132.12.14

Monitor > Packet Capture > Manage Filters
Add 2 filters.
One where 85.132.12.14 is source.
One where 85.132.12.14 is destination.
Turn filtering on.

Go to cli.
> show counter global filter delta yes packet-filter yes

Now try to access website.
And then run same command again.

> show counter global filter delta yes packet-filter yes

Other option is to see if anything was dropped with severity drop.
> show counter global filter delta yes packet-filter yes severity drop

Switch off filter and remove 2 filters added before.