Website issue.

Reply

Website issue.

Hi to everyone!

We have one site - halqa.az, which I can't give access to.

I have permitted everything on policies, permitted everything on decryption, still no success.

What should be else permitted? Maybe some of you will be able to help me.

Maybe there is any timeout issue or anything else.

L5 Sessionator

Re: Website issue.

PAN-DB categorizes halqa.az as Insufficient Content  (https://urlfiltering.paloaltonetworks.com) - which you may be blocking. Can you check for any blocks in the URL Filtering Log?

Re: Website issue.

Good day!

There are no logs. Only timeouts. This site is some kind of test page.

 

logs.jpghalqa.az.jpg

Re: Website issue.

 

also there are such kind of logs - incomplete and aged-out.

this public ip is an ip of this server(halqa.az).

incomplete.jpg

 

L7 Applicator

Re: Website issue.

Hello,

Edit the columns to include 'Log Subtype'. I have see that sometimes this will be deny and the action is allow. To adjust the columns view, hover the mouse above one of the title fileds and click the down arrow. Then you can select the one you want.

 

Regards,

L2 Linker

Re: Website issue.

Hello , 

 

I faced a similar issue where the the website was not accessible when the traffic goes via Paloalto device. But the website is accessible from other network without PA. 

 

This may be due to the packets from the web Server not having the window-scale information inside TCP packets. Paloalto will by default drop such TCP packets even though traffic is allowed in security policy. 

 

For this you can check the TCP settings in Device--> Setup--> Session--> TCP Settings, change the Asymmetric path to bypass ( By default it will be drop )

It worked for me.. 

 

This will be the mis configuration in Web Server. If the Window-Scale details are not seen in TCP packets from Server reply, paloalto considers it as a asymmetric reply and will drop. 

 

we can configure the Zone protection profile as well on the Untrust zone as well under ZoneProtection profile --> add --> Packet based Attack Protection -- TCP Drop --> Asymmetric Drop --> Bypass. And call this profile in Zone

 

But as a security best practice this is not recommended as it might give chance to attacks like IP spoofing and sequence number prediction. 

We cannot have IP based or URL based bypass for this kind of issue. 

 

Hope this helps... :) :) 

 

Regards,

Sandeep

L1 Bithead

Re: Website issue.

@Sandeep_R:

Are you sure that window-scale information missing is solved by bypassing Assymmetric path? Because asymmetric routing should just be the fact that path from client to server isn't mirrored for the path from server to client (for example traffic from client to server does go through the firewall, but for server to client it doesn't)

 

@AzerbaijanSupermarkets:

When you click in the traffic log on the traffic from your client to the server, do you only see packets received or also sent? 

 

And possibly stupid question, but are you sure your traffic from your public ip isn't being dropped on their end?

L7 Applicator

Re: Website issue.

halqa.az resolves to 85.132.12.14

 

Monitor > Packet Capture > Manage Filters
Add 2 filters.
One where 85.132.12.14 is source.
One where 85.132.12.14 is destination.
Turn filtering on.

 

Go to cli.
> show counter global filter delta yes packet-filter yes

Now try to access website.
And then run same command again.

> show counter global filter delta yes packet-filter yes

 

Other option is to see if anything was dropped with severity drop.
> show counter global filter delta yes packet-filter yes severity drop

Switch off filter and remove 2 filters added before.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!