How the URL Continue Option Works on the packet level
Resolution
Details
For the scenario in this document, an example with the "URL Filtering" profile for the "social networking" category with the Action "continue" is being used. Packet captures have been taken on the client end. For the HTTP/HTTPS traffic, that hits the security policy with a URL profile, a "continue" response is showing in the web browser (in the example shown below, it is the http://facebook.com page):
When the TCP session is established (packets 268-270), as the HTTP traffic matches the URL category configured with "continue" action, the Palo Alto Networks device sends a HTTP 302 redirect message, as shown below (packet number 272). The redirect location specified in this packet is: "http://173.252.110.27:6080/php/urlblock.php?vsys=1&cat=10014&title=social-networking&rulename=permit-all&uid=16&url=http://facebook.com%2f" (the same URI that is seen in the web browser on the example above). This URI contains URL category and original URL. When this packet is received by the web browser, the existing TCP session is torn down (packet number 276):
Next, the browser initiates the new TCP session (packets 277-279) using port 6080, as specified in the HTTP 302 message sent from the Palo Alto Networks device. The packet number 280 shows HTTP request sent from web browser. The HTTP GET message in this packet contains the path taken from the location field of HTTP 302 message:
In the session shown below, the Palo Alto Networks device sends HTTP 200 OK message (packet number 284). This packet contains HTML code for the "Continue" button and when the web browser receives this packet, it shows the "continue" page (first image at the top of this document):
Use the following CLI command to see the session in the Palo Alto Network device that is recognized as "panos-web-interface":
> show session all filter source 192.168.193.3
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port])
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1192 panos-web-interface ACTIVE FLOW ND 192.168.193.3[2569]/Trust/6 (192.168.193.3[2569]) vsys 1173.252.110.27[6080]/captive-portal (127.131.1.1[6180])
[...]
When the client presses the "Continue" button, the Palo Alto Network device redirects the web browser to the final destination. Packets number 388 shows the moment when the "Continue" button is pressed by the end user while the packet number 390 shows the HTTP 302 message generated by the Palo Alto Networks web server, (this packet has the original http://facebook.com URL set in the location field of this packet):
Finally, the web browser initiates a new TCP connection directly to the facebook.com web server:
owner: gbogojevic