palo alto interrupting web server traffic

Showing results for 
Show  only  | Search instead for 
Did you mean: 

palo alto interrupting web server traffic

L4 Transporter



I have web server , in some computers website load properly and  some  not loading properly .

I suspect pa is interrupting  


Please advise 




As per the screenshot there is  SYN-ACK and corresponding (5 and 6) and finally client sent an ACK (11 and 12) 

so the server listening on port 2048 , is'nt it ?



A couple things could help clear it up if you can repost the screenshot:


  • Remove or hide the SNR and Rate columns in Wireshark.
  • Reduce the sizes of the IP columns to expand the other columns that have "..." so we can see the full data.
  • I assume the "delta" column is delta time between displayed frames, but expanding that field could help (or change your time display format to "Seconds since previous displayed packet".
  • Grab a packet capture of a working client to compare the flow.


It looks like we see two sets of three-way handshakes here, both on destination port 2048. Both handshakes are complete, and there seems to be an exchange of data (client sends PSH flags on frames 11-12, 13-14, and 15-16; the server sends a reply in frames 17-18).


If the traffic is known to Wireshark, you can also decode it as the known traffic (if it's TLS for example, right-click on any frame and choose Decode As..., and specify port 2048 to be whatever the actual traffic is).

Hi gwesson

Thank you for the  reply  . 

I have adjusted the view as you said . And  i did decode as 'ssl' 




Sorry for the incenvenience 




Yes, correct. The server is listening on TCP 2048 port (no doubt) but same time we can see SSL traffic to the same server. But what l am trying to understand is how is the PA seeing this traffic and how it is identifying? Under which application. This all info is under Monitoring tab on PA.

@TranceforLife is bringing up a really good point. If the only information that your giving is a wireshark it doesn't actually tell us what the Palo Alto itself is seeing. Knowing what your security policy for the traffic looks like, how the Palo Alto is seeing the termination, all of that other good information.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!