Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Issues with Webpages Hanging

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issues with Webpages Hanging

L1 Bithead

Hi All,

 

I'm new to Palo Alto and have been having issues with content loading on my network.  Across the network, webpages that are being loaded in browser will periodically hang and as soon as the user refreshes them they load right away.  Also video streaming and image viewing applications appear to behave the same way in that a user will try to load content, can't, will restart the application and then the content will load up fine from the internet.  I'm using the VM-100 and have alocated plenty of RAM and CPU for the VM.  Have looked at security policies but they appear to be fine.  Any suggestions on where to look next would be much appreciated.

 

Thanks!

1 accepted solution

Accepted Solutions

Hi All,

 

I've discovered that having the services in my Security Policies set to "application-default," is what causes the issue.  Defining this myself fixes the issue.

View solution in original post

11 REPLIES 11

L6 Presenter

Hi...A couple of things that you can check:

 

- Ethernet port speed/duplex mismatch

- If you are using URL filtering, FQDN objects, maek sure the DNS server(s) are configured and reachable by the PA.

- Make sure the mgmt port of the PA can get out to the Internet for content updates

 

Thanks,

None of those appear to be an issue.  Maybe MTU setting?

You can take a packet capture to see if there are many fragmented packets which would point to MTU.  

 

Do you have proxy that would affect the cachin of web contents?

 

Are you seeing similar symptom for other traffic like FTP, SSL, etc? 

Just a DNS proxy.  It's most obvious when streaming video or loading images.

Just to test if any of your policies may cause this, can you allow a test user full access (src=ip-test-user any any action=allow) with no blocking on any URL categories, etc.  

Just tested it out and there seems to be minimal change.  live.paloaltonetworks.com actually is one of the sites that takes forever to load.

I suggest the next step may be to contact Support and open a case.  Thanks.

L7 Applicator

A couple of questions:  

 

Which hypervisor are you using?  

 

If you're using VMware ESXi/vSphere, are you using Promiscuous mode on the port-groups where your firewall is connected or have you enabled "Use Hypervisor-assigned MAC address" in the firewall?  

Hi All,

 

I've discovered that having the services in my Security Policies set to "application-default," is what causes the issue.  Defining this myself fixes the issue.

That's odd.  What application needed to use "Any?"

 

Did you have any deny logs of that application on any port other than the "standard?"  If no logs did you have a clean-up rule that's actually logging the denies?  By default palo's implict deny doesn't log.

It caused big problems with Netflix and other streaming services.  Maybe it took too long to look it up in the application-default list?  I'm not sure.  I defined the service ports manually.

  • 1 accepted solution
  • 5146 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!