09-12-2024 05:16 PM
I am working with a school customer with a PA firewall in place. The issue is Google street view images do not load on the device when connected to the student VLAN but the exact same device switched to the staff VLAN works fine. The actual symptom is the browser shows a message "No street view imagery available here" and a black screen where the images should be. Everything else - including the pins on points of interest work. If I switch the device to the staff VLAN and hit refresh, the page loads fine. I can see the relevant firewall rule is being fired and is supposedly allowing the traffic when the device tries to connect, so that's telling me the firewall is seeing the traffic, but then it logs an 'aged-out' session end reason (see attached screenshot). We've excluded all the listed Google URLs for Maps etc. (https://developers.google.com/maps/domains) from SSL decryption with no effect. It's such a specific issue that it should be easy to figure out, but I don't have the depth of experience with the PA to get to the bottom of this. Firewall is running PAN-OS 10.1.6-h7.
Any pointers on where to look next would be great!
10-02-2024 05:36 PM
OK, so we seem to have finally found the underlying cause. Student devices are directed to a different DNS server than staff/servers, due to network segmentation (not atypical in a school environment). The issue arises as the student network DNS server is not resolving *only* streetviewpixels-pa.googleapis.com - the reason why this URL is not resolved is unknown to us from the remote side. Every other URL required for Google maps etc. works fine. The DNS servers are the responsibility of the school, so we're waiting for them to come back from term break holidays to look further into this. I have to say this is a very odd and unexpected outcome in terms of what the underlying cause was, but it does explain the issue perfectly - and without having the firewall implicated.
09-13-2024 08:02 AM
Do the students nat to a different public address than the staff? Have you enabled your interzone-default logging to verify that you aren't dropping any additional traffic unknowingly that could be causing issues with what you can actually see? That would be the two things I would start with.
If you are using different public addresses for students and staff, test assigning the same address that you would to staff on a student connected device with a targeted NAT entry.
09-17-2024 04:01 PM
All users inside the firewall use the same public IP address, regardless of student/staff/server etc. I'll look at turning up the logging.
09-18-2024 02:43 PM
Are you using different URL Filtering profiles (either set individually or as a Group Profile) under the Action tab of your Security Policy allowing internet access for the student and staff networks? Is a URL filtering group possibly blocking the GoogleMaps data? You should also be able to see the blocks for the student network in the logs at Monitor -> Logs -> URL Filtering.
On an affected device, you can also start up Chrome and go to the menu -> More Tools -> Developer Tools, click on the Network tab, and then try navigating to GoogleMaps StreetView. If you see a bunch of red highlighted web requests, those are being blocked/failing to connect. The headers/response on individual requests may give you more information and the specific destination that is failing.
10-02-2024 05:36 PM
OK, so we seem to have finally found the underlying cause. Student devices are directed to a different DNS server than staff/servers, due to network segmentation (not atypical in a school environment). The issue arises as the student network DNS server is not resolving *only* streetviewpixels-pa.googleapis.com - the reason why this URL is not resolved is unknown to us from the remote side. Every other URL required for Google maps etc. works fine. The DNS servers are the responsibility of the school, so we're waiting for them to come back from term break holidays to look further into this. I have to say this is a very odd and unexpected outcome in terms of what the underlying cause was, but it does explain the issue perfectly - and without having the firewall implicated.
10-08-2024 05:46 PM
Confirmed - DNS resolution issue resolved by school and Street View is now working.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
