Slow download for Metasploit Updates

cancel
Showing results for 
Search instead for 
Did you mean: 

Slow download for Metasploit Updates

L4 Transporter

I have question and I am not sure if I am posting this in the right place. I am also new to Palo Alto firewalls. I have a lot of experience with Cisco and SonicWall so you'll have to excuse me if I sound a little ignorant concerning Palo Alto at the moment.

This is my question/problem. I have a single subnet on my network that seems to be having problems downloading updates from metasploit. Browsing to the metasploit website and downloading the update will give an error stating "Installation failed: Signature failure". The research we've done and the feedback we've been given by Rapid7 is explaining this error is due to a firewall configuration. The other problem is when we attempt to download the file, I believe from and direct link, it's insanely slow. It's about 120 Mb file and it says the download will take about 14 days.

A couple of things to know. This is the only problem download this user and subnet is experiencing, that we are aware of. I am on a different subnet and my direct download is fine, it takes just a couple of minutes to download. The firewall has a rule to allow all from untrust to trust. We are using a PA500. At this point I am not sure what more I can do to verify and confirm that the firewall is not the problem. What steps can I take to continue to troubleshooting this to figure out the firewall is really the culprit or not? Any help would be greatly appreciated!!

8 REPLIES 8

L6 Presenter

Hi..Please check link speed & duplex for mismatch on the Ethernet interface of the PA device.  Also, check to see if there's a QoS policy that may be controlling this traffic.  If the user is on the trust zone and the download server is on the untrust zone, the policy should be to allow trust --> untrust for the download request.  Thanks.

rmonvon, thank you for the quick reply. I've checked the speed & duplex settings on the PA interface and compared it to the interface it's connected to and they match at 1 Gig Full. This is the only site/download we are having issues with so I don't believe that a mismatch speed/duplex setting is the problem. I also checked QoS policies. There are just a few for some websites but not the one we are browsing to and the policy is for any source IP > any destination IP. With this setting I should have the same problem too since I'm on a different subnet but I don't. It looks like we have URL licensing but I can't seem to get the URL filtering to pull any data. Is it possible this could be an issue? Would there be anything else that could be causing the problem?

Thanks again for the help.

I was able to figure out that URL filtering is not the cause of the problem either. Still looking for the cause though.

Can you try logging into that PC as yourself and test the download, and try the download from a different browser.  Maybe there's something wrong with the user's desktop/browser like caching on that browser setting.

I have to make a correction to my original statement, it does seem to be having the same problem on the subnet I am on. The issue must be with either the firewall or the ISP. I'd like to rule out the firewall before I call and blame the ISP.

rmonvon, to answer your question, I have tried from several different browsers. Many of them fail immediately when starting the download. Safari was successful as far as continuing the download but what should be a few minute download is expected to take 2 days at this point (and it will get longer). Thanks again.

You can define an app-override rule  to match on the traffic and add a security rule to allow this new app.  The app override will bypass the inspection done by the f/w with the exception for stateful inspection.

Define an app-override rule:

src=your IP address

dst=destination IP address or any

udp/tcp port=tcp/80 (or match this to the download port)

application=newapp

instruction to create newapp can be found here:

Add security rule at the top:

src=your IP address

dst=destination IP address or any

application=newapp

action=allow

This should rule out the f/w.  Thanks.

Thank you for the help and information. I also apologize for the delayed response. We were able to find out that the download was actually stopping which is why the download time kept increasing. After some digging and looking into the threat logs we realized that the attempted download was being blocked due to a virus threat. We had to create a few exceptions to allow the download to continue. I believe the PA incorrectly identified information in the signature or the packets as potentially dangerous and flagged it as such. After making the exceptions the download was successful. Thanks again.

Well actually metasploit is true exploits so I would rather be suprised if your PA would let this files through without any remarks Smiley Happy

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!