Firewall breaks SCCM communication for agent push/download between client and server

42093

Created On 05/05/20 16:17 PM - Last Modified 07/08/20 02:02 AM

HTTP

Policy

8.1

9.0

PAN-OS

Symptom

The push of the agent between client and servers requires Microsoft BITS to download the required files from the HTTP(DP).
Firewall traffic log is not showing any deny/drop packets for the communication between source and destination IPs over tcp/80 and tcp/443.
Even after creating additional test security policies on the firewall not restricting any port and service but still having a security profile, the Microsoft upgrade is not completing properly across the FW.
Global counters are showing the following counter: ctd_http_range_response

Environment

Pan-OS 8.1.x,9.0.x

Cause

FW has the "Allow HTTP partial response" disabled
And the client HTTP get has the below HTTP range requesting a partial download/response form the server.
User-added image

When the option above is disabled the FW will send the HTTP get to the server followed by a TCP reset to break the connection.

Resolution

From the GUI:
Check the box for: Device >> Setup >> Content-ID >> Content -ID Settings >> Allow HTTP Partial response

Note:
By default, the Allow HTTP partial response is enabled. However, Palo Alto Networks recommends you disable this option for maximum security. Disabling this option should not impact device performance; however, HTTP file transfer interruption recovery may be impaired. In addition, disabling this option can also impact streaming media services, such as Netflix, Microsoft Updates, and Palo Alto Networks content updates.

Additional Information