Restrict Google Domain login

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restrict Google Domain login

L2 Linker

Hello,

I have been using a header insertion to restrict login to an approved list of Google Domains for a couple of years now. However, I have now encountered an issue and was wondering if anyone else had a similar experience or has any idea what to do.

On one of our domains, there is a regular but seemingly random occurrence of login failures with the error message - 

Something went wrong

Sorry, something went wrong there. Please try again.
 
When this happens on a device, it can start working correctly again afterwards with no changes being made. If I disable decryption for accounts.google.com then users can login with any account again.
 
Checking Chrome in developer mode shows that the connection fails going to https://accounts.google.com/_/lookup/accountlookup?hl=en-GB&_reqid=* and stalls when at the initial connection stage. Another device on the same subnet will be able to successfully connect to the above URL and thereofee be restricted to only the Google Domains we allow.
Other domains we have in our organisation dont seem to have the problem, I am struggling to see a pattern that would enable me to isolate the issue. Any help would be greatly appreciated!
5 REPLIES 5

L5 Sessionator

Are you able to confirm that those decrypted sessions aren't utilizing TLS 1.3 (unless you're on PAN-OS 10+), and not utilizing QUIC? 

 

I've seen some funky things happen as a result of the two, and infrequently is it because of App-ID or a security policy. 

Help the community! Add tags and mark solutions please.

Hi,

 

Thanks for the response. Unfortunately I cant confirm this as the issue never seems to appear when a packet capture is done, very strange. I have a TAC support case open on this one.

L0 Member

Did you ever get this figured out, was TAC any help? Facing the same problem intermittently, minus the any header insertion (just decryption). It's hit or miss as you indicated and PCAP shows what you describe as the stall w/ no response from the server, like it never makes it out. Logs have been unhelpful thus far. Appreciate the assist!

Hi,

Still working with TAC on this one, still think we have a way to go. One thing I have found is that certain commands for diagnostics prevent the issue from occurring on the device you are testing with which is a little odd. What PAN-OS version are you using?

L0 Member

Sitting on the v9.0 branch. Have disabled QUIC, TLS 1.3 Early Data, and CECPQ2 via the client browser thinking that might help, but it made no difference. Appearing like it might be an issue w/ the Palo acting as the client w/ the external server (accounts.google.com) vs the Palo acting as the server to internal clients. If you could let us know what the final resolution w/ TAC is, that'd be great!

  • 5485 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!