Firewall breaks SCCM communication for agent push/download between client and server
44736
Created On 05/05/20 16:17 PM - Last Modified 07/08/20 02:02 AM
Symptom
- The push of the agent between client and servers requires Microsoft BITS to download the required files from the HTTP(DP).
- Firewall traffic log is not showing any deny/drop packets for the communication between source and destination IPs over tcp/80 and tcp/443.
- Even after creating additional test security policies on the firewall not restricting any port and service but still having a security profile, the Microsoft upgrade is not completing properly across the FW.
- Global counters are showing the following counter: ctd_http_range_response
Environment
Pan-OS 8.1.x,9.0.x
Cause
FW has the "Allow HTTP partial response" disabled
And the client HTTP get has the below HTTP range requesting a partial download/response form the server.
When the option above is disabled the FW will send the HTTP get to the server followed by a TCP reset to break the connection.
Resolution
From the GUI:
Check the box for: Device >> Setup >> Content-ID >> Content -ID Settings >> Allow HTTP Partial response
Note:
By default, the Allow HTTP partial response is enabled. However, Palo Alto Networks recommends you disable this option for maximum security. Disabling this option should not impact device performance; however, HTTP file transfer interruption recovery may be impaired. In addition, disabling this option can also impact streaming media services, such as Netflix, Microsoft Updates, and Palo Alto Networks content updates.
Additional Information
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjPCAW