You don't have permission to access "http://www.costco.com/" on this server.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

You don't have permission to access "http://www.costco.com/" on this server.

L4 Transporter

There are certain websites that I cannot visit behind the firewall, and get errors saying You don't have permission to access XYZ on this server.  In this case, I cannot visit www.costco.com

 

I am accessing with https/

 

Has anyone figured out how to resolve the issue?   Do you have to disable SSL decryption for these sites or something else?  I don't see denies under monitor -> traffic, same goes for url filtering.

 

fhewiufhwefhwe_0-1627664109981.png

 

 

1 accepted solution

Accepted Solutions

@fhewiufhwefhwe 

The operators of this website had an issue snd this is now resolved. At least this is what I see now after my tests. First I had the issue only with http but now it works correct and I am redirected to https. So I am still sure this one is not an issue of the firewall.

In similar cases it might be a geolocation restriction and because of that a permission error is shown...

View solution in original post

10 REPLIES 10

L7 Applicator

Hi @fhewiufhwefhwe 

There is no issue on the firewall when accessing this website. The issue is on the website itself - they have a configuration problem with http. With https the website is loading without permission problems.

L7 Applicator

So, for any of this traffic, you are not seeing anything in your logs?  Not for that rule? or anything?  What about the packet capture? Have you tried to access the IP directly? Does the name resolve? 

 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

The name resolves.  I have not seen anything useful in the logs, and have been using PA for 3 years now.  I have not checked a packet capture.

 

If I try by ipaddress, it says 

Invalid URL

The requested URL "no URL", is invalid.

Reference #9.d6fb3f17.1627664346.330281c

L7 Applicator

@fhewiufhwefhwe 

Permission problems on websites are in about 99.9% (or even more) not an issue of the firewall.

No, the attempt is with https and it does not load behind the firewall.  I have no issues when not behind the firewall, but cannot test the same ipaddress since I am remote.

Or it could be the response of other proxies or firewall to the palo alto having performed SSL decryption?   I sometimes see sites that load for a second and then switch the permission denied.  It's fairly annoying to tell people to browse sites from their phone.

@fhewiufhwefhwe 

Could you try to access the website now once again (try it in private mode or restart the browser)?

It's working in edge.  I wonder if it may have to do with blocking quic.

@fhewiufhwefhwe 

The operators of this website had an issue snd this is now resolved. At least this is what I see now after my tests. First I had the issue only with http but now it works correct and I am redirected to https. So I am still sure this one is not an issue of the firewall.

In similar cases it might be a geolocation restriction and because of that a permission error is shown...

Not a clue given that it's working in Edge and not chrome, and works on chrome from other ipaddresses.  Think I'll just try edge whenever I run into this, and maybe try clean installs of chrome.  Quic and SSL decrypt are the only two ideas I have that are firewall related.

  • 1 accepted solution
  • 12297 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!