04-25-2013 11:40 AM
Hi,
We're currently experiencing issues when trying to access some websites. Meaning, it few minutes for the website to appear and sometimes it doesn't appear at all.
And when the website appears, it shows completely different than it should be. Like if you disabled CSS and provides you with an HTML only output.
My first thought is an application that is being used on the website and that is not allowed within our filtering policy.
How can we for such issues check which applications patterns need to be enabled or created?
The problem occurs when trying to reach following websites for instance:
www.doodle.com
www.builtwith.com
www.x-formation.com
Reputation for above website is all good and it's not a URL category issue as the websites resolve to the right categories and those categories are allowed within ou policy.
Thank you for your help.
M S
04-25-2013 12:02 PM
Do you have any URL categories in your policy with action block, continue, or override? If so, take a look at your URL filtering logs and see if there are any entries with those actions when you attempt to go to the URLs you've listed. Oftentimes websites will pull content from other sites (web-advertisements, CDNs, social networking sites), so check your logs to see if that is the case here.
04-25-2013 04:03 PM
Watch your live traffic monitor on the firewall and filter based on source and destination address?
For example, I just did the following in the filter on monitor -> traffic tab
( addr.src in 10.x.x.x ) and (addr.dst in 88.198.48.141) (BuiltWith's IP address is the dst, my workstation is the src)
And got a whole bunch of "incomplete's" on port 80 (I.E. unrecognised applications) along with some standard web browsing on port 80.
x-formation.com appears to be straight web-browsing on the front page (I didn't do any deeper into the site), but you could do similar and see what you find.
Cheers.
04-26-2013 07:19 AM
Hi,
Cheers guys for your input.
All 3 sites are now working except for doodle. It works when we try to reach http://doodle.com. But when users try to access needed page within Doodle it doesn't work.
Doodle has now put following message:
If you only see a virtually blank page, the following might help:
http://support.doodle.com/customer/portal/articles/645339-i-can-only-see-a-white-page
The thing is that we indeed have Kaspersky but this is only performing File Antivirus protection.
For the other 2 websites it works:
-x-formation.com is working since i've added google-analytics to the allowed APPs. But i keep having lot of "incomplete's" on port 80.
-Builtwith.com wasn't working even after google-analytics adding. After few hours it begun to work. No incomplete's for this one.
Is there an accurate manner for our IT staff to determine which APPs are used by a specific website in order to evaluate the APP and allow it if need.
In other words, how can we interpret the incomplete's ?
Thank you.
04-28-2013 03:43 PM
sebbarmo wrote:
Hi,
Cheers guys for your input.
All 3 sites are now working except for doodle. It works when we try to reach http://doodle.com. But when users try to access needed page within Doodle it doesn't work.
Doodle has now put following message:
If you only see a virtually blank page, the following might help:
http://support.doodle.com/customer/portal/articles/645339-i-can-only-see-a-white-page
The thing is that we indeed have Kaspersky but this is only performing File Antivirus protection.
That information page gives what may be a hint - it mentioned "anonymous proxy server" when talking about Kaspersky - do you have a web filter set on your Palo alto which has the category "proxy-avoidance-and-anonymizers" set to deny?
It could be that this page uses some sub-page or redirection which is being caught in this web category - check your URL filter logs for blocked traffic, maybe?
04-30-2013 07:04 AM
Hi Darren,
Thank you for your reply.
The proxy-avoidance-and-anonymizers category was indeed blocked. I unblocked the catagory but unfortunately this has not solved the problem. It keeps having the same behavior.
Is there any manner to know what kind of application those sub pages are calling for instance?
Thank you.
M S
04-30-2013 08:05 AM
Let's confirm that we are dealing with a FW issue. Put a computer on the OUTSIDE of the FW (maybe a L2 switch between your ISP and your FW) to confirm that this is an issue with your configuration of your PA firewall. If you did this, it would help everyone to know that this is or is not a PA firewall issue. Please advise.
05-02-2013 02:06 AM
Hi Scantwell,
I'll perform this test today and let you know what is the results.
thanks.
M S
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
