url_filtering problem

Reply
Highlighted
L2 Linker

url_filtering problem

HI all,

We have a cluster of 2xPA3050, for protection to untrusted zone. Last week we enabled the trial license for url_filtering. Since that moment we have met a special problem. We use a citrix application over ssl in the cloud. This citrix server is perfectly reachable, but after the authentication, the application seems to hang. We disabled all rules referring to url_filter categories, so there is no reference in the policy to url-filter. Nevertheless, with the license enabled, the citrix application doesn't work. There is no reference in the monitor tab/logs that something is dropped. By doing a packet capture, we only see an rst tcp reset from the other side, but nothing seems to be dropped or logged.

Anybody knows how I can troubleshoot this ? Is there a possibility that with activating the pan-db database in the licenses, without activating any rules, that there is an interception on ssl traffic ?

We have panos6.1, url_filtering, also global protect is enabled. Ssl decription is not enabled.

Thanks and greetz,

Johan

bat
L5 Sessionator

Re: url_filtering problem

Hi johan.boeckx

Do you see any session in discard state for the concerned IP address, you can look at it using : show session all filter state discard source <ip-address> ?

Also can you compare the TTL value in RST packet that you are seeing with TTL that you see in any other packet from the source ?

Hope it helps !

L2 Linker

Re: url_filtering problem

HI,

Thanks for the answer. I checked the session based on the source as on the destination. Both there were no active sessions

admin@FW01CO(active)> show session all filter state discard source 10.104.0.8

No Active Sessions

admin@FW01CO(active)> show session all filter state discard source 10.104.0.8

No Active Sessions

admin@FW01CO(active)> show session all filter state discard destination 193.109.234.40

No Active Sessions

admin@FW01CO(active)> show session all filter state discard destination 193.109.234.43

No Active Sessions

L7 Applicator

Re: url_filtering problem

Hello Johan,

Could you please try to clear URL cache from this PA  firewall.

>clear url-cache all

>delete dymanicurl host all

Even after applying above command, issue persists, then apply below command. ( it will not impact to your production traffic)

>debug software restart device-server

Hope this helps.

L2 Linker

Re: url_filtering problem

I tried this, but didnt gave any result. I digged a bit deeper and read number of Palo alto docs regarding flow_tcp_non_syn_drop, which I had a lot. This is related to assymetric routing. Strange is that we dont have assymetric routing, but since this webside is in the cloud, the problem can have originated on the internet. Anyway, I disabled the TCP - reject non-SYN first packet: from true to false. Now,a number of applications work on this cloud based site, only not the citrix related, tunneled through ssl.Nothing is blocked through policies.

L0 Member

Re: url_filtering problem

Just curious to know,how the problem is resolved

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!