This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Restrict Google Domain login

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Restrict Google Domain login

MichaelWrigh
L2 Linker

‎01-18-2022 01:38 PM

Hello,

I have been using a header insertion to restrict login to an approved list of Google Domains for a couple of years now. However, I have now encountered an issue and was wondering if anyone else had a similar experience or has any idea what to do.

On one of our domains, there is a regular but seemingly random occurrence of login failures with the error message - 

Something went wrong

Sorry, something went wrong there. Please try again.
 
When this happens on a device, it can start working correctly again afterwards with no changes being made. If I disable decryption for accounts.google.com then users can login with any account again.
 
Checking Chrome in developer mode shows that the connection fails going to https://accounts.google.com/_/lookup/accountlookup?hl=en-GB&_reqid=* and stalls when at the initial connection stage. Another device on the same subnet will be able to successfully connect to the above URL and thereofee be restricted to only the Google Domains we allow.
Other domains we have in our organisation dont seem to have the problem, I am struggling to see a pattern that would enable me to isolate the issue. Any help would be greatly appreciated!
1 person had this problem.
0 Likes Likes
5 REPLIES 5

LAYER_8
L5 Sessionator

‎01-31-2022 11:21 AM

Are you able to confirm that those decrypted sessions aren't utilizing TLS 1.3 (unless you're on PAN-OS 10+), and not utilizing QUIC? 

 

I've seen some funky things happen as a result of the two, and infrequently is it because of App-ID or a security policy. 

Help the community! Add tags and mark solutions please.
0 Likes Likes

MichaelWrigh
L2 Linker
In response to LAYER_8

‎02-03-2022 02:17 PM

Hi,

 

Thanks for the response. Unfortunately I cant confirm this as the issue never seems to appear when a packet capture is done, very strange. I have a TAC support case open on this one.

0 Likes Likes

arg2022
L0 Member

‎02-15-2022 11:22 AM

Did you ever get this figured out, was TAC any help? Facing the same problem intermittently, minus the any header insertion (just decryption). It's hit or miss as you indicated and PCAP shows what you describe as the stall w/ no response from the server, like it never makes it out. Logs have been unhelpful thus far. Appreciate the assist!

0 Likes Likes

MichaelWrigh
L2 Linker
In response to arg2022

‎02-15-2022 01:39 PM

Hi,

Still working with TAC on this one, still think we have a way to go. One thing I have found is that certain commands for diagnostics prevent the issue from occurring on the device you are testing with which is a little odd. What PAN-OS version are you using?

0 Likes Likes

arg2022
L0 Member

‎02-16-2022 07:08 AM

Sitting on the v9.0 branch. Have disabled QUIC, TLS 1.3 Early Data, and CECPQ2 via the client browser thinking that might help, but it made no difference. Appearing like it might be an issue w/ the Palo acting as the client w/ the external server (accounts.google.com) vs the Palo acting as the server to internal clients. If you could let us know what the final resolution w/ TAC is, that'd be great!

0 Likes Likes
  • 5264 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks