07-18-2018 08:52 AM - edited 07-18-2018 09:02 AM
Hi everyone
i got the problem for the PAN-OS upgrade from 6.1.X to 7.1.1X, the environment deploy SSL decrypt already, also had security profile include URL-filtering, Anti-virus, Anti-spyware, vulnerability, it like normal use, but when i finished upgrade palo alto appliance, we cannot succeed running google services like google-maps, google-translate, google-calendar, the webpage cannot display the all detail, even i saw the traffic log, threat log and url filtering log haven't any drop or deny message;
for example, usually we entry some keyword to google-translate area, it will synchronize your input translation to target language,
but now, the webpage of google-translate cannot synchronize the keyword input to translate area, also no any response, even tried changed browser, closed quic protocol;
for example 2, when i from mainpage migrated to google-map page already, the page cannot load the road map, but no any fail log or error message in browser
now have 3 point as below
1. only google web services occurred to my environment.
2. if ssl session haven't decrypt, webpage success load and services work possible.
3. if ssl session decrypt already without deploy security profile, webpage success load and services work possible.
could someone can help me to resolve this problem? thanks
07-18-2018 11:59 AM
If the only time you run into the issue is if you are actively decrypting the traffic, and you have a security profile assigned to it; I would assume that it's an issue that you should be able to see in the 'Threat Log' on the device. Look there and see if you don't have something that's being reset due to it getting identified.
07-18-2018 11:22 PM
Hi @BPry
thanks for your reply.
i tried deploy the all alert action for security profiles and put in security policy, the connection still have problem for web page response of google services, but when i turn off the security profiles check on security policy, the google services work smooth;
we have not strongly reason to explanation ssl decrypt to effect the google services. because all log seems OK.
thanks
07-19-2018 10:19 AM
I would contact TAC and let them work through this problem with you as I suspect that it's something relatively minor that is reseting the traffic that you may simply not be configured to log currently.
07-19-2018 11:09 AM
Hi @BPry
thank you so much and help.
so you mean may have something traffic has been block, but the session log not work normally then have not record to monitor tab?
the workflow like this
decrypted SSL --> get some reason --> security profile check --> block (not record) --> session drop
not decrypted --> cannot get some reason --> security profile check --> session forwarded
it difficult to verify which reason trigger session block, cause i saw the https get and post at browser, they just displayed data successed loaded,
for example, if we load the default google maps webpage , the browser will get may 2-30 https connection for data transmission, but on this case, browser just get may 3-5 connection and no any fail connect.
07-19-2018 11:32 AM
To which PAN-OS version exactly did you upgrade?
07-19-2018 01:00 PM
I would also recommend to open a support case ...
And what you could check also:
07-20-2018 03:08 AM
Hi @Remo
thanks for the reply.
i tried changed input the different security profiles on security policy,
the method like below
sign the single security profile or group security profile on security policy and all action change to alert,
but it cannot resolve this problem, the website work success only after unset the security profile.
also when i tried disable decryption policy and deployed security profiles, then google-services website work smoothly,
so i had the two factor let google-services fail
1. security profiles
2. decrypt
thanks
07-20-2018 06:24 AM
Ya, this is really a case for TAC. It really sounds like something with the security profile; whether that be within the URL-Filtering, Antivirus, or antispyware categories is blocking this traffic but isn't actually logging the event for whatever reason. This could be due to the upgrade, or it could be the configuration itself. Without the ability to actually look at the issue firsthand I'm not sure how much more help we can actually be on this.
FYI:
The reason you need the two factors (security profiles and decryption policies) to get this to work is because the firewall can't fully see the traffic if it isn't decrypted. When the traffic is decrypted and the security policy is in place something in your security policy is likely causing the traffic to reset. You kinda have to go out of your way to have the firewall take action on the traffic via the security policies and not log this; so it's likely that something got messed up in the upgrade. That or you clicked just the right things to disable logging for this, which I can't see someone accidently doing.
07-22-2018 08:12 PM
Hi @BPry
thanks for your help
the case open already.
you are right, i think the reason of problem is decryption issue too.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
