not able to access certain web sites from host behind PAN firewalls

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

not able to access certain web sites from host behind PAN firewalls

L4 Transporter

I am trying to access http://www.brokercheck.com from behind the PAN firewall via dynamic NAT without any success.  I have other customers behind different PAN firewalls, regardless of PAN OS version, with the same issue access website http://www.brokercheck.com.

 

The FW rule is wide open "any any accept log"

 

It works for customers NOT behind PAN firewalls.  In other words, hosts behind Cisco ASA and checkpoint firewalls can access http://www.brokercheck.com without any issues. 

 

I have a TAC case opened with PaloAlto support and waiting to hear back from them.

 

Thoughts?

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @dtran ,

 

What are you seeing under traffic logs? Traffic logs should give more clarity for this. You can also check few other points like,

 

1.First, check if traffic for below URL is reaching the firewall. If there are any DNS issues on the source system, you won't see any traffic on the firewall.

2. Check if the required security policy is getting applied to below URL traffic on Palo Alto and if security policy is allowing the traffic,

3. Check if any other security policy profile e.g. URL filtering is blocking it.

4. NAT Policy & desired routing is happening on the firewall while accessing below URL.

 

Please check these points.

M

No issue with DNS, URL filtering, NAT....  Did I mention that if I replace the PAN with Cisco or Checkpoint, I don't have this issue?

 

This issue is reproducible from multiple customers that are behind the PAN firewalls, from different locations and different ISP.

Hi @dtran ,

 

I tested URL from my one of the test system which is behind palo alto and URL is working. It gets redirected to https://brokercheck.finra.org/

 

 

M

I found the solution here:  https://www.networkdefenseblog.com/post/wireshark-tcp-challenge-ack

 

Apparently many users who are behind PAN firewalls have issues access this site.

  • 5405 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!