not able to access certain web sites from host behind PAN firewalls

Reply
dtran
L3 Networker

not able to access certain web sites from host behind PAN firewalls

I am trying to access http://www.brokercheck.com from behind the PAN firewall via dynamic NAT without any success.  I have other customers behind different PAN firewalls, regardless of PAN OS version, with the same issue access website http://www.brokercheck.com.

 

The FW rule is wide open "any any accept log"

 

It works for customers NOT behind PAN firewalls.  In other words, hosts behind Cisco ASA and checkpoint firewalls can access http://www.brokercheck.com without any issues. 

 

I have a TAC case opened with PaloAlto support and waiting to hear back from them.

 

Thoughts?

SutareMayur
L6 Presenter

Hi @dtran ,

 

What are you seeing under traffic logs? Traffic logs should give more clarity for this. You can also check few other points like,

 

1.First, check if traffic for below URL is reaching the firewall. If there are any DNS issues on the source system, you won't see any traffic on the firewall.

2. Check if the required security policy is getting applied to below URL traffic on Palo Alto and if security policy is allowing the traffic,

3. Check if any other security policy profile e.g. URL filtering is blocking it.

4. NAT Policy & desired routing is happening on the firewall while accessing below URL.

 

Please check these points.

Mayur S.
dtran
L3 Networker

No issue with DNS, URL filtering, NAT....  Did I mention that if I replace the PAN with Cisco or Checkpoint, I don't have this issue?

 

This issue is reproducible from multiple customers that are behind the PAN firewalls, from different locations and different ISP.

SutareMayur
L6 Presenter

Hi @dtran ,

 

I tested URL from my one of the test system which is behind palo alto and URL is working. It gets redirected to https://brokercheck.finra.org/

 

 

Mayur S.
dtran
L3 Networker

I found the solution here:  https://www.networkdefenseblog.com/post/wireshark-tcp-challenge-ack

 

Apparently many users who are behind PAN firewalls have issues access this site.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!