I have an issue that seems to only be affecting one user. They seemingly randomly get the block page when doing a google search. Looking at logs most searches are allowed but then I will see the occasional block-url. I think I have narrowed it down to when chrome is opened the first search fails. Searching after that works ok. If I open a new chrome tab then gets blocked again on the first search. The home page is set to google.com. I tried explicitly setting it to https://www.google.com but same result. Any idea why just the first search is getting the block?
shows application google-base with an action of block-url for the url www.google.com/search. I had support take a look at it with me and they are not sure what is causing it. They believe something with the PC since it is only happening with one user. It's strange though, as long as you are using the same tab, the same search when done a second time works. Create a new browser window or tab and the first one is blocked. Subsequent search in that tab/windows work fine.
We're seeing a similar issue on PANOS 9.0.11 - traffic to Google.com searched first hits an IP address, which is being blocked due to the IP being classified as Unknown. After about 10-20 seconds of waiting, the user is redirected to Google, and no error message is shown to the end user.
In the URL Filtering log in the firewall web UI the category and category list for the IP address is search-engines and search-engines,low-risk. A URL test from the CLI lists the IP as unknown. The traffic is identified as google-base.
This started happening after upgrading from PANOS 8.1 to 9.0, and I have a theory that this is related to HTTP/2 inspection, which wasn't supported at 8.1.
A similar issue, PAN-137387, should've been resolved in 9.0.9: "Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization."
Have anyone experienced the same on 9.0, and were you able to resolve it?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!