Block-Continue pages download limitation on Palo Alto Networks firewalls

There is a limitation when using the Palo Alto Networks firewall when configured with a File Blocking profile. The Palo Alto Networks firewall must identify a file in the first HTTP packet sent by the server in order to send a continue-block page to the client.  

Even if the firewall delivers the block page, a browser would only think that the response page is part of the file instead of interpreting it as a web page and the download will not complete.

Cause

This limitation is caused by the way the HTTP protocol works. Simply put, if the file transfer does not start in the first HTTP packet from the server, the browser would not understand the continue page even if we send it, because it already expects the file. This limitation exists for all vendors, not only Palo Alto Networks, and there is not a workaround on the firewall itself.

Workaround

The only way to workaround this behavior is to change it on the web-server side (configure web-server in the way it starts sending files in the first packet).

Example of the issue

In the example below, the server first sends HTTP response packet (200 OK), then it starts sending file data in the separate packet, even though first HTTP packet is small, and file data could have been sent as part of that packet. In this case, we will not be able to inject the continue-block page.

1. Server sending 200 OK response:

2. File data transmission starts in the next packet:

Example fixed

In the example below, Continue-Block page can be inserted - server is starting to send the file in the first HTTP packet: