PAN-OS upgrade problem for google web services

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-OS upgrade problem for google web services

L2 Linker

Hi everyone

 

i got the problem for the PAN-OS upgrade from 6.1.X to 7.1.1X, the environment deploy SSL decrypt already, also had security profile include URL-filtering, Anti-virus, Anti-spyware, vulnerability, it like normal use, but when i finished upgrade palo alto appliance, we cannot succeed running google services like google-maps, google-translate, google-calendar, the webpage cannot display the all detail, even i saw the traffic log, threat log and url filtering log haven't any drop or deny message;

for example, usually we entry some keyword to google-translate area, it will synchronize your input  translation to target language,

but now, the webpage of google-translate cannot synchronize the keyword input to translate area, also no any response, even tried changed browser, closed quic protocol;

 

for example 2, when i from mainpage migrated to google-map page already,  the page cannot load the road map, but no any fail log or error message in browser

 

now have 3 point as below

1. only google web services occurred to my environment.

2. if ssl session haven't decrypt, webpage success load and services work possible.

3. if ssl session decrypt already without deploy security profile, webpage success load and services work possible.

 

could someone can help me to resolve this problem? thanks

10 REPLIES 10

Cyber Elite
Cyber Elite

@TysonLiu,

If the only time you run into the issue is if you are actively decrypting the traffic, and you have a security profile assigned to it; I would assume that it's an issue that you should be able to see in the 'Threat Log' on the device. Look there and see if you don't have something that's being reset due to it getting identified. 

 

Hi @BPry

 

thanks for your reply.

 

i tried deploy the all alert action for security profiles and put in security policy, the connection still have problem for web page response of google services, but when i turn off the security profiles check on security policy, the google services work smooth;

 

we have not strongly reason to explanation ssl decrypt to effect the google services. because all log seems OK.

 

thanks

@TysonLiu,

I would contact TAC and let them work through this problem with you as I suspect that it's something relatively minor that is reseting the traffic that you may simply not be configured to log currently. 

Hi @BPry

 

thank you so much and help.

 

so you mean may have something traffic has been block, but the session log not work normally then have not record to monitor tab?

 

the workflow like this

decrypted SSL --> get some reason --> security profile check --> block (not record) --> session drop

not decrypted --> cannot get some reason --> security profile check --> session forwarded

 

it difficult to verify which reason trigger session block, cause i saw the https get and post at browser, they just displayed data successed loaded, 

for example, if we load the default google maps webpage , the browser will get may 2-30 https connection for data transmission, but on this case, browser just get may 3-5 connection and no any fail connect.

@TysonLiu

To which PAN-OS version exactly did you upgrade?

Hi @Remo

From 6.1.14 -> 7.1.16
thanks

I would also recommend to open a support case ...

 

And what you could check also:

  • Try with a new allow-and-log-ALL vulnerability profile (only vulnerability)
  • Try with a new allow-and-log-ALL anti-virus profile (only anti-virus)
  • If it was working for both of these two, do the same with anti-spyware and URL filtering
  • During these tests check the global counters and do a flow basic analysis (this is probably also what TAC will do)

Hi @Remo

 

thanks for the reply.

 

i tried changed input the different security profiles on security policy,

the method like below

sign the single security profile or group security profile  on security policy and all action change to alert, 

but it cannot resolve this problem, the website work success only after unset the security profile.

also when i tried disable decryption policy and deployed security profiles, then google-services website work smoothly,

so i had the two factor let google-services fail

1. security profiles

2. decrypt

 

thanks

@TysonLiu,

Ya, this is really a case for TAC. It really sounds like something with the security profile; whether that be within the URL-Filtering, Antivirus, or antispyware categories is blocking this traffic but isn't actually logging the event for whatever reason. This could be due to the upgrade, or it could be the configuration itself. Without the ability to actually look at the issue firsthand I'm not sure how much more help we can actually be on this. 

 

FYI:

The reason you need the two factors (security profiles and decryption policies) to get this to work is because the firewall can't fully see the traffic if it isn't decrypted. When the traffic is decrypted and the security policy is in place something in your security policy is likely causing the traffic to reset. You kinda have to go out of your way to have the firewall take action on the traffic via the security policies and not log this; so it's likely that something got messed up in the upgrade. That or you clicked just the right things to disable logging for this, which I can't see someone accidently doing. 

Hi @BPry

 

thanks for your help

the case open already.

 

you are right, i think the reason of problem is decryption issue too.

  • 6497 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!