Many government sites are not opening on paloalto networks. Same is opening on outside network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Many government sites are not opening on paloalto networks. Same is opening on outside network

L1 Bithead

Many government sites are not opening on paloalto networks. Same is opening on outside network. Please suggest

6 REPLIES 6

Community Team Member

Hi @SankalpS ,

 

You're not giving us much to work with.

 

What do you see exactly ? Is there a time-out or other error message ? Is your policy allowing it ? Do you see the connection attempt in the traffic logs ? Are you using decryption ? If so, is it being decrypted properly ? Do you see any drops in global counters when trying to access the websites ? Which platform and PAN-OS version are you using ?

 

Kind regards,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Getting site cant reached message when we try to open indian government sites link morth.nic.in. Also we try to by removing ILL cable from firewall and directly connecting to laptop then sites works.

 

Our many customers are facing this issue for last two days. 

L0 Member

We also faced same issues. Example of Govt Site

Software Version 10.1.5-h2
Deployment: Vwire Mode
Once we removed palo-alto firewall from network, start opening the site. Log saying "Aged-out"
Appliance Model 850.

Cyber Elite
Cyber Elite

Hello,

If you are using SSL decryption, set the government and military URL filter to bypass decryption. Many of these sites dont like to be decrypted since it looks like a man in the middle attack. While it is man in the middle, its not an attack.

 

Hope this makes sense.

L0 Member

Nop, We are not using any decryption functionality in our appliance. Without SSL encryption/Decryption its not working, Whereas same traffic through checkpoint firewall working perfectly.

Hi @SankalpS , @RVLINFRASEC ,

Have you done any troubleshooting on the firewall? Can you provide some output:

- Are you using URL filtering?

-  Does your URL and DNS security licenses are still active?

- Check one of the problematic sites how firewall is categorizing it. Connect with SSH to CLI and use the following command:

> test url <url>

> test url-info-host <url>

Replace <url> with the address you want to test. What is the output? What action is set for the same category in your URL filtering profile?

- Search URL logs (Monitor -> URL) for one of the problematic URLs. Do you see any logs? What action is seen in the logs?

- Resolve one of the problematic sites (with nslookup for example), search this IP in the Unified logs (Monitor -> Unified). Do you see any deny/block? Check one of the traffic logs - what is the "session end reason"? Is the counter for bites received different than zero?

 

 

  • 2687 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!