Firewall lets the initial HTTP GET/POST request through

Firewall lets the initial HTTP GET/POST request through

22934
Created On 04/09/19 15:54 PM - Last Modified 04/16/19 16:57 PM


Symptom


After TCP 3-way handshake, HTTP GET/POST request is sent out of the firewall intermittently for websites falling under Block Categories.
Per the URL Filtering logs, it shows the URL was blocked.
 

Environment


  • Security Policy configured based on service tcp/80 and tcp/443 with URL Filtering Policy applied.
  • Required Categories are set to block

Cause


This happens when the DP does not have the Cache for the accessed URL.

Here is the flow:
  1. Firewall allows TCP 3-way handshake.
  2. GET/POST request received on the Firewall.
  3. If the firewall does not have a category for the URL in DP, the GET/POST packet request is allowed to go through while the firewall is still trying to resolve the URL category.
  4. By the time server responds, the firewall already has the category, and the response is blocked, and block response page is served to the user.

Resolution


This behavior is by design.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLUFCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language