This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

message security over http

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

message security over http

Go to solution
dieter_b
L4 Transporter

‎03-21-2017 08:22 AM

How does PA handle message security over http ?

Whereas https secures the communication, message security secures the content.

 

I would expect PA does not touch http content. But we are having issues with an application that connects to a partners server.

 

Application throws this error, I guess it's a pretty default .net error:

An error occurred while receiving the HTTP response to http://blabla/blablaConnectorHostService.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down).

 

Partner says it has something to do with large transfers that get interrupted. I'm guessing it happens somewhere on the firewall.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
dieter_b
L4 Transporter
In response to dieter_b

‎03-27-2017 07:55 AM

@dieterb wrote:
@TranceforLife wrote:

This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration

We heavily use user-id for that zone. But for some traffic, that doesn't matter. User Any solves that problem for most cases.

Ok, problem is indeed related to user-id: http traffic triggers an NTLM authentication request (if there's no user-ip-mapping) on the firewall. Application did not know how to handle that and resets session.

 

The trick was to put the client's fixed IP address in the exclude list for user identification for the zone. Not only in the user-id agent exclude list and/or PA user-id exclude list (what most of the time just worked because it was no http traffic).

Now the firewall doesn't ask for NTLM auth and traffic passes fine.

 

I also found out that it's not possible to disable NTLM entirely, is that correct ? Maybe because of captive portal ?

View solution in original post

16 REPLIES 16

Go to solution
TranceforLife
L6 Presenter

‎03-21-2017 08:42 AM - edited ‎03-21-2017 10:20 AM

Hi,

 

Good place to start is a traffic logs for this particular session (s), session-end reason and application identification. What can you see?

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎03-21-2017 10:11 AM

Look at your threat logs and make sure the PA isn't resseting something due to it identification anything as a possible threat. 

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to BPry

‎03-21-2017 10:14 AM - edited ‎03-21-2017 10:15 AM

good point threat logs, totally forgot about them :0 busy day............

0 Likes Likes

Go to solution
dieter_b
L4 Transporter
In response to TranceforLife

‎03-22-2017 05:56 AM

Right now the application seems to generate no logging at all...

I will get back when I have something useful 🙂

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to dieter_b

‎03-22-2017 06:11 AM

@dieter_b make sure that you actually have logging enabled on your security policies that you suspect this should be hitting, sounds like you likely don't have it set to log at start or end. 

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to BPry

‎03-22-2017 06:12 AM

or traffic is not even hitting that policy!

0 Likes Likes

Go to solution
dieter_b
L4 Transporter
In response to TranceforLife

‎03-23-2017 03:43 AM

I have logging enabled for start and end. And I'm pretty sure the traffic should hit the rule. Logging is enabled for almost everything (except for some dns, ntp and "internal" traffic). So if there would be a deny somewhere or a threat blocked, I would see it.

 

So here's the fun part:

If there's no user-to-ip mapping for the clients ip, nothing is logged.

If there is a user-to-ip mapping, I have log entries.

 

Session end reasons are tcp-rst-from-client and tcp-fin, so pretty normal.

 

Known user or not should not even matter. The rule allows Any app/service for Any user from clients fixed ip. And for troubleshooting I don't even have a security profile attached.

 

In a wireshark capture on the client I only get a dry RST from the server. But that could be the firewall sending a RST.

 

Would the option "Disable Server Response Inspection" do any good ?

 

 

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to dieter_b

‎03-23-2017 04:05 AM - edited ‎03-23-2017 04:48 AM

DSRI option may be useful under heavy server load conditions.  Post the security policy here same as PCAP snip. Firewall, as far as l know, will not intercept the session (in your case as you can see tcp-rst-from-client and tcp-fin logs). If the firewall sends you RST you should see its IP address as a source. Firewall only generates a logs based on how it seing the session between client-server.

0 Likes Likes

Go to solution
dieter_b
L4 Transporter
In response to TranceforLife

‎03-23-2017 05:39 AM

That's all there is to the rule:

rule.png

 

Sorry I can't give PCAP, would reveal too much info.

 

You say firewall ip would be seen as source ip of RST. That's not the case so I assume RST is really coming from remote server.

 

Can anyone confirm PA does not alter http content ? There's no such thing as http message security decryption ? Or an option that blocks encrypted http messages ?

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to dieter_b

‎03-23-2017 05:50 AM

This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration:

 

ID.PNG

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to TranceforLife

‎03-23-2017 06:00 AM

@dieter_b if you don't have a profile associated with it the firewall should never issue a reset, since it should just be allowing the traffic. I would take a look at what the identified applications TCP Timeout, TCP Half Closed, and TCP Time Wait settings are. Just for giggles customize those to something completely unreasonably high and see if the issue persists. The firewall may not be seeing any type of response from the other server and terminating the session because it believes the session has gone stale. 

0 Likes Likes

Go to solution
dieter_b
L4 Transporter
In response to TranceforLife

‎03-23-2017 07:23 AM

@TranceforLife wrote:

This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration

We heavily use user-id for that zone. But for some traffic, that doesn't matter. User Any solves that problem for most cases.

0 Likes Likes

Go to solution
dieter_b
L4 Transporter
In response to BPry

‎03-23-2017 07:25 AM

@BPry wrote:

@dieter_b if you don't have a profile associated with it the firewall should never issue a reset, since it should just be allowing the traffic. I would take a look at what the identified applications TCP Timeout, TCP Half Closed, and TCP Time Wait settings are. Just for giggles customize those to something completely unreasonably high and see if the issue persists. The firewall may not be seeing any type of response from the other server and terminating the session because it believes the session has gone stale. 

Good idea, I will give this a try. I just hope our session limit is not reached, since we're talking about http 🙂

0 Likes Likes

Go to solution
dieter_b
L4 Transporter
In response to dieter_b

‎03-24-2017 04:20 AM

I have pretty much default general session timeouts

sestimeouts.png

 

Connections are dropped way faster than that.

 

Where can I find application specific timeouts ?

0 Likes Likes
  • 1 accepted solution
  • 7775 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks