How Does Palo Alto Networks handle HTTP range extension?
Question
How does Palo Alto Networks handle HTTP Range option?
Environment
- PAN-OS 7.1 and above
- Palo Alto Networks firewall
Answer
The following descriptions are how Palo Alto Networks handles HTTP range extensions.
What is the HTTP range option?
HTTP range option in the HTTP header is a way for the client machines to request a partial download of files from the servers only for specified ranges of bytes. This is the option used by computers when you resume a download that had been paused.
This option is also used when a partial download of an exe file from a website is done and when the file is executed. The server is contacted to deploy the executable. In this case, the client might need a partial response to the GET request being sent. In that case, this option is used.
In some cases, the client may cache part of the file, and the request for the rest of the file using the HTTP Accept-Ranges header.
Refer to the RFC for http requests(Section 14.35.2): https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35
Why and When is this relevant?
This is relevant when troubleshooting issues where an open-ended security policy is allowing web traffic where a certain website is requested for partial ranges through a Palo Alto Networks firewall.
The Palo Alto Networks firewall handles this request in two ways:
1) Allowing clients to send packets with this option enabled: (Device>Setup> Content-ID> Allow HTTP Header range option)
2) Allowing downloads when the HTTP range option is seen in an HTTP stream and the firewall is unable to handle them.
For example, The browser was downloading a partial ZIP file. You can see a partial file in the Downloads folder. When it resumed, it only requested a partial file that was missing. The firewall is unable to handle this.
To fix this, use following command:
set deviceconfig setting ctd skip-block-http-range no => In PAN-OS 7.1
set deviceconfig setting ctd allow-http-range yes => In PAN-OS 8.1 and above.
Symptom Observed
When the firewall is unable to handle such requests, you will see on customer's firewalls that there will not be any drop counters or packets. However, when using profiles in security policy, the file download sessions will hang after partially downloading the files and the file downloads will never complete.
When packets containing this option are seen, global counters will indicate a counter "HTTP range detected" (not the actual name of the counter but it actually does contain the name http_range).
In that case use the workaround suggested using the following command:
set deviceconfig setting ctd skip-block-http-range no => In PAN-OS 7.1
set deviceconfig setting ctd allow-http-range yes => In PAN-OS 8.1 and above.
Note: Commit operation is required after setting the HTTP range option.