google searched blocked

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
gvyskocil
L2 Linker

google searched blocked

I have an issue that seems to only be affecting one user. They seemingly randomly get the block page when doing a google search. Looking at logs most searches are allowed but then I will see the occasional block-url. I think I have narrowed it down to when chrome is opened the first search fails. Searching after that works ok. If I open a new chrome tab then gets blocked again on the first search. The home page is set to google.com. I tried explicitly setting it to https://www.google.com but same result. Any idea why just the first search is getting the block?

BPry
Cyber Elite

@gvyskocil,

What does the URL log actually say that denied the traffic? 

gvyskocil
L2 Linker

shows application google-base with an action of block-url for the url www.google.com/search. I had support take a look at it with me and they are not sure what is causing it. They believe something with the PC since it is only happening with one user. It's strange though, as long as you are using the same tab, the same search when done a second time works. Create a new browser window or tab and the first one is blocked. Subsequent search in that tab/windows work fine.

as-mg
L3 Networker

We're seeing a similar issue on PANOS 9.0.11 - traffic to Google.com searched first hits an IP address, which is being blocked due to the IP being classified as Unknown. After about 10-20 seconds of waiting, the user is redirected to Google, and no error message is shown to the end user.

 

In the URL Filtering log in the firewall web UI the category and category list for the IP address is search-engines and search-engines,low-risk. A URL test from the CLI lists the IP as unknown. The traffic is identified as google-base.

 

This started happening after upgrading from PANOS 8.1 to 9.0, and I have a theory that this is related to HTTP/2 inspection, which wasn't supported at 8.1. 

 

A similar issue, PAN-137387, should've been resolved in 9.0.9: "Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization."

 

Have anyone experienced the same on 9.0, and were you able to resolve it?

Chris.Crispino01
L0 Member

I had the same issue. Support recommended upgrading to 9.1.3. I put a work around policy in to strip the ALPN for the search-engine category in the decryption policy.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!