How the URL Continue Option Works on the packet level

How the URL Continue Option Works on the packet level

48217
Created On 09/25/18 19:24 PM - Last Modified 06/13/23 02:44 AM


Resolution


Details

For the scenario in this document, an example with the "URL Filtering" profile for the "social networking" category with the Action "continue" is being used. Packet captures have been taken on the client end. For the HTTP/HTTPS traffic, that hits the security policy with a URL profile, a "continue" response is showing in the web browser (in the example shown below, it is the http://facebook.com page):

Screen Shot 2014-07-04 at 5.12.17 PM.png

 

When the TCP session is established (packets 268-270), as the HTTP traffic matches the URL category configured with "continue" action, the Palo Alto Networks device sends a HTTP 302 redirect message, as shown below (packet number 272). The redirect location specified in this packet is: "http://173.252.110.27:6080/php/urlblock.php?vsys=1&cat=10014&title=social-networking&rulename=permit-all&uid=16&url=http://facebook.com%2f" (the same URI that is seen in the web browser on the example above). This URI contains URL category and original URL. When this packet is received by the web browser, the existing TCP session is torn down (packet number 276):

2.png

 

Next, the browser initiates the new TCP session (packets 277-279) using port 6080, as specified in the HTTP 302 message sent from the Palo Alto Networks device. The packet number 280 shows HTTP request sent from web browser. The HTTP GET message in this packet contains the path taken from the location field of HTTP 302 message:

3.png

 

In the session shown below, the Palo Alto Networks device sends HTTP 200 OK message (packet number 284). This packet contains HTML code for the "Continue" button and when the web browser receives this packet, it shows the "continue" page (first image at the top of this document):

4.png

 

Use the following CLI command to see the session in the Palo Alto Network device that is recognized as "panos-web-interface":

> show session all filter source 192.168.193.3

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ID          Application        State  Type  Flag  Src[Sport]/Zone/Proto        (translated IP[Port])          Vsys  Dst[Dport]/Zone                      (translated IP[Port])

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1192        panos-web-interface ACTIVE  FLOW  ND    192.168.193.3[2569]/Trust/6  (192.168.193.3[2569])    vsys  1173.252.110.27[6080]/captive-portal  (127.131.1.1[6180])

[...]

 

When the client presses the "Continue" button, the Palo Alto Network device redirects the web browser to the final destination. Packets number 388 shows the moment when the "Continue" button is pressed by the end user while the packet number 390 shows the HTTP 302 message generated by the Palo Alto Networks web server, (this packet has the original http://facebook.com URL set in the location field of this packet):

5.png

 

Finally, the web browser initiates a new TCP connection directly to the facebook.com web server:

Screen Shot 2014-07-04 at 5.11.30 PM.png

 

owner: gbogojevic
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXtCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language