Apple Software Updates Issue with Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Apple Software Updates Issue with Palo Alto

L3 Networker

Hi,

If we try to update apps on a iPhone they don’t update but if we remove the security profiles the apps update with no issues.

 

When you click update it attempts to do the download and just fails

 

We are using following security profiles(image attached). We think this may actually be a bug.

 

The update is only successful if the rule has NO profiles attached.

 

We just turned them off one by one, nothing worked until they where all off.

 

We attached the wildfire profile only, it stopped working.

 

We attached the alert only file blocking policy and it stopped working.

 

We do not SSL decryption configured. Users are directly connected with Palo Alto over WLAN not VPN.

 

1 (7).png

1 accepted solution

Accepted Solutions

Raised the issue with TAC and they found the issue as mentioned in the below KB

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POjhCAG&lang=en_US%E2%80%A...

 

By enabling "Allow HTTP partial response" issue got resolved

 

Under Device->Setup->Content-ID->Content-ID Settings 

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

@Jatin.Singh 

 

Please check logs for  Wildfire submissions and look for action also check threat, and data filtering logs.

Here you will see why and which security profile is blocking the connection.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Could you please share the individual profile settings you are mapping.

Also, could you please try, attaching all profiles except WildFire Analysis Profile and check if it works.

Shehriyar Ahmed

@MP18 nothing in the logs indicating a block, either traffic or threat 

 

I attached the alert only file blocking policy and it stopped working.

 

I just turned them off one by one, nothing worked until they where all off.

 

I attached the wildfire profile only, it stopped working.

 

2 (3).png3.png4.png5.png6.png7.png8.png

@Jatin.Singh 

 

Looking at the profile settings we can not tell how traffic is blocked.

You need to check Under Monitor 

traffic,Threat,url-filtering, wildfire and other logs for specific source and destinations why traffic is blocked.

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

We have already checked and cannot see any blocked traffic 

We have made simple test policy 

 

Capture.JPG

 

Also without any profiles attached it works, and then we attached File Blocking alert only profile and it stopped working.

Alert only profile will not block the updates? And no other profile was attached while testing it.

 

Rule is allowing all from the source as seen above

 

7.png

 

 

Cyber Elite
Cyber Elite

@Jatin.Singh,

What version of PAN-OS do you have installed? I've never had an issue with iOS updates downloading properly with a full suite of profiles applied to the traffic, including a profile that directly matches your "Alert-Only-FB" settings. 

Raised the issue with TAC and they found the issue as mentioned in the below KB

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POjhCAG&lang=en_US%E2%80%A...

 

By enabling "Allow HTTP partial response" issue got resolved

 

Under Device->Setup->Content-ID->Content-ID Settings 

@Jatin.Singh 

 

Thanks for letting us know.

 

Regards

Mahesh

MP

Help the community: Like helpful comments and mark solutions.

L0 Member

This works really well for us, thank you! Facing same issue here. Help is appreciated.

  • 1 accepted solution
  • 5057 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!