url_filtering problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

url_filtering problem

L2 Linker

HI all,

We have a cluster of 2xPA3050, for protection to untrusted zone. Last week we enabled the trial license for url_filtering. Since that moment we have met a special problem. We use a citrix application over ssl in the cloud. This citrix server is perfectly reachable, but after the authentication, the application seems to hang. We disabled all rules referring to url_filter categories, so there is no reference in the policy to url-filter. Nevertheless, with the license enabled, the citrix application doesn't work. There is no reference in the monitor tab/logs that something is dropped. By doing a packet capture, we only see an rst tcp reset from the other side, but nothing seems to be dropped or logged.

Anybody knows how I can troubleshoot this ? Is there a possibility that with activating the pan-db database in the licenses, without activating any rules, that there is an interception on ssl traffic ?

We have panos6.1, url_filtering, also global protect is enabled. Ssl decription is not enabled.

Thanks and greetz,

Johan

5 REPLIES 5

L5 Sessionator

Hi johan.boeckx

Do you see any session in discard state for the concerned IP address, you can look at it using : show session all filter state discard source <ip-address> ?

Also can you compare the TTL value in RST packet that you are seeing with TTL that you see in any other packet from the source ?

Hope it helps !

HI,

Thanks for the answer. I checked the session based on the source as on the destination. Both there were no active sessions

admin@FW01CO(active)> show session all filter state discard source 10.104.0.8

No Active Sessions

admin@FW01CO(active)> show session all filter state discard source 10.104.0.8

No Active Sessions

admin@FW01CO(active)> show session all filter state discard destination 193.109.234.40

No Active Sessions

admin@FW01CO(active)> show session all filter state discard destination 193.109.234.43

No Active Sessions

Hello Johan,

Could you please try to clear URL cache from this PA  firewall.

>clear url-cache all

>delete dymanicurl host all

Even after applying above command, issue persists, then apply below command. ( it will not impact to your production traffic)

>debug software restart device-server

Hope this helps.

I tried this, but didnt gave any result. I digged a bit deeper and read number of Palo alto docs regarding flow_tcp_non_syn_drop, which I had a lot. This is related to assymetric routing. Strange is that we dont have assymetric routing, but since this webside is in the cloud, the problem can have originated on the internet. Anyway, I disabled the TCP - reject non-SYN first packet: from true to false. Now,a number of applications work on this cloud based site, only not the citrix related, tunneled through ssl.Nothing is blocked through policies.

Just curious to know,how the problem is resolved

  • 6788 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!