Anyone experiencing slow websites with PANOS patched for CVE-2024-0012/CVE-2024-9474?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anyone experiencing slow websites with PANOS patched for CVE-2024-0012/CVE-2024-9474?

L6 Presenter

Is anyone else experiencing intermittent slow website access with the recent hot patches for CVEs? Currently running 10.2.9-h16 and having intermittent issues with some websites, some users, while others have no issues. I can't find anything in the PaloAlto logs that indicate any problems (no threat, AV, reset connections, decryption failures, etc.). Chrome debug tools show that this slowness is being caused be "stalled" connections, where one or more elements within a page stall for exactly 10.0 seconds before connecting/downloading. No connection resets/failures to download, just stalls before the download actually occurs. Its even happening here on the forums. I have been digging pretty deep into packet captures and browser debugging, but so far I haven't been able to find anything...

2 REPLIES 2

L6 Presenter

I had to roll back from 10.2.9-h16 to 10.2.9-h1 overnight and this has fixed the slow website access. No other changes to the NGFW were made, but everything is working again. I am opening support ticket with PA to review.

 

From what I can tell, something in 10.2.9-h16 seems to be breaking either decryption or HTTP2 session tracking. This results in the firewall apparently closing SSL connections from some clients to some destination servers, while the browser thinks the connection is still valid (no FIN was seen in packet captures). The browser then tries to reuse the existing connection to download the next page and stalls for 10 seconds before initializing a new SSL connection. The firewall shows the affected connections from affected clients on one subnet as not decrypted, while non-affected clients on a different subnet are shown as decrypted, even though both go through the exact same decryption/security policies.

L6 Presenter

After discussion with support, this has been confirmed to be related to internal PaloAlto bug PAN-270549, which is related to PAN-263226. It causes decryption and session tracking to fail for SSL sessions using certain browser cipher options. There are a couple workarounds available. A patch is tentatively scheduled for release dates later this month into January, depending on the chain. If you are experiencing a similar problem, reference the above PAN as a possible cause if opening a ticket with PA support.

  • 859 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!