Website getting blocked

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Website getting blocked

L3 Networker

Hi Team

 

We have PA 220 firewall with 8.1.5 PAN os version.

 

We have tried to reach one particular website but its not reachable. When we checked the traffic logs that application was shown as "incomplete" and the end session reason was aged-out.

 

Note : Same website can be reached by external network.

 

For testing purpose, we have created one security policy on the top as below 

 

Sec policy.PNG

 

After that also particular  we are getting the same error "application incomplete" in the traffic logs.

 

We have took the packet capture and its received only RX and Firewall files. No drops and tranmit packet we are not found

 

As per the packet capture logs, Its send syn packets only. No SYN-ACK packets we are not received.

 

How to fix the issue? Please help us 

 

Regards

Mohammed Asik

 

4 REPLIES 4

Cyber Elite
Cyber Elite

hi @MohammedAsik 

 

If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself

 

one thing you can check is to verify that outbound NAT is being applied properly, so the server has the right IP to reply to

next, you could try traceroute to see if you are able to get to the server IP (there could be a routing or peering issue at the ISP level, or your IP could have been blacklisted on the server)

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper

 

If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself

 

Answer : For your information, I can able to reach the same website from the external network (outside network). Through the palo alto firewall only I couldn't access the website.

 

Need to check with ISP side aslo and let you know.

 

Regards

Mohammed Asik


@MohammedAsik wrote:

Hi Reaper

 

If no syn-ack is received from the webserver, the problem will be on the outside of the firewall or on the webserver itself

 

Answer : For your information, I can able to reach the same website from the external network (outside network). Through the palo alto firewall only I couldn't access the website.

 

Need to check with ISP side aslo and let you know.

 

Regards

Mohammed Asik


 

<edit> @reaper  already came up with all my cool ideas.

But wait, theres more: when you set up packet filters for packet capture, make sure you set filters in both directions and both pre- and post nat. See if the sequence numbers pan out, and verify the server isnt requesting some weird parameters the firewall wont support. For example: is there a smaller MTU somewhere? You may need to enable TCP MSS to circumvent that (if so, check if the server gets the message and is not ignoring it) Double check if outbound NAT is alright, check if the IP can independently traced to your firewall from the outside (potential arp issues on outside)
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 5567 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!