message security over http

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

message security over http

L4 Transporter

How does PA handle message security over http ?

Whereas https secures the communication, message security secures the content.

 

I would expect PA does not touch http content. But we are having issues with an application that connects to a partners server.

 

Application throws this error, I guess it's a pretty default .net error:

An error occurred while receiving the HTTP response to http://blabla/blablaConnectorHostService.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down).

 

Partner says it has something to do with large transfers that get interrupted. I'm guessing it happens somewhere on the firewall.

1 accepted solution

Accepted Solutions


@dieterb wrote:

@TranceforLife wrote:

This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration


We heavily use user-id for that zone. But for some traffic, that doesn't matter. User Any solves that problem for most cases.


Ok, problem is indeed related to user-id: http traffic triggers an NTLM authentication request (if there's no user-ip-mapping) on the firewall. Application did not know how to handle that and resets session.

 

The trick was to put the client's fixed IP address in the exclude list for user identification for the zone. Not only in the user-id agent exclude list and/or PA user-id exclude list (what most of the time just worked because it was no http traffic).

Now the firewall doesn't ask for NTLM auth and traffic passes fine.

 

I also found out that it's not possible to disable NTLM entirely, is that correct ? Maybe because of captive portal ?

View solution in original post

16 REPLIES 16

L6 Presenter

Hi,

 

Good place to start is a traffic logs for this particular session (s), session-end reason and application identification. What can you see?

Cyber Elite
Cyber Elite

Look at your threat logs and make sure the PA isn't resseting something due to it identification anything as a possible threat. 

good point threat logs, totally forgot about them :0 busy day............

Right now the application seems to generate no logging at all...

I will get back when I have something useful 🙂

@dieter_b make sure that you actually have logging enabled on your security policies that you suspect this should be hitting, sounds like you likely don't have it set to log at start or end. 

or traffic is not even hitting that policy!

I have logging enabled for start and end. And I'm pretty sure the traffic should hit the rule. Logging is enabled for almost everything (except for some dns, ntp and "internal" traffic). So if there would be a deny somewhere or a threat blocked, I would see it.

 

So here's the fun part:

If there's no user-to-ip mapping for the clients ip, nothing is logged.

If there is a user-to-ip mapping, I have log entries.

 

Session end reasons are tcp-rst-from-client and tcp-fin, so pretty normal.

 

Known user or not should not even matter. The rule allows Any app/service for Any user from clients fixed ip. And for troubleshooting I don't even have a security profile attached.

 

In a wireshark capture on the client I only get a dry RST from the server. But that could be the firewall sending a RST.

 

Would the option "Disable Server Response Inspection" do any good ?

 

 

DSRI option may be useful under heavy server load conditions.  Post the security policy here same as PCAP snip. Firewall, as far as l know, will not intercept the session (in your case as you can see tcp-rst-from-client and tcp-fin logs). If the firewall sends you RST you should see its IP address as a source. Firewall only generates a logs based on how it seing the session between client-server.

That's all there is to the rule:

rule.png

 

Sorry I can't give PCAP, would reveal too much info.

 

You say firewall ip would be seen as source ip of RST. That's not the case so I assume RST is really coming from remote server.

 

Can anyone confirm PA does not alter http content ? There's no such thing as http message security decryption ? Or an option that blocks encrypted http messages ?

This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration:

 

ID.PNG

@dieter_b if you don't have a profile associated with it the firewall should never issue a reset, since it should just be allowing the traffic. I would take a look at what the identified applications TCP Timeout, TCP Half Closed, and TCP Time Wait settings are. Just for giggles customize those to something completely unreasonably high and see if the issue persists. The firewall may not be seeing any type of response from the other server and terminating the session because it believes the session has gone stale. 


@TranceforLife wrote:

This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration


We heavily use user-id for that zone. But for some traffic, that doesn't matter. User Any solves that problem for most cases.


@BPry wrote:

@dieter_b if you don't have a profile associated with it the firewall should never issue a reset, since it should just be allowing the traffic. I would take a look at what the identified applications TCP Timeout, TCP Half Closed, and TCP Time Wait settings are. Just for giggles customize those to something completely unreasonably high and see if the issue persists. The firewall may not be seeing any type of response from the other server and terminating the session because it believes the session has gone stale. 


Good idea, I will give this a try. I just hope our session limit is not reached, since we're talking about http 🙂

I have pretty much default general session timeouts

sestimeouts.png

 

Connections are dropped way faster than that.

 

Where can I find application specific timeouts ?

  • 1 accepted solution
  • 6672 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!