Anti-Virus Block Page Not Shown on Browser in PA-220, PA-820, PA-850 setup
12470
Created On 08/21/19 09:29 AM - Last Modified 06/18/25 07:39 AM
Symptom
If PA-220, PA-820, PA-850 with SSL decryption configured is detecting malware via HTTPS protocol, TCP-Reset is sent to the browser instead of showing Block page. However, if PA-220, PA-820, or PA-850 with SSL decryption configured is detecting malware via HTTP protocol (which doesn't require decryption), block page is shown as expected on the browser software downloading the malware.
Environment
- NGFW
- PA-220 and PA-800 series
- Supported PANOS versions
- SSL decryption and Anti-Virus Profiles are being used in their security policy. The malware is detected while Palo Alto Networks next-generation firewall is inspecting HTTPS traffic. This symptom doesn't happen (e.g., Block page is displayed as expected) when the traffic is blocked by URL filtering with SSL decryption enabled.
Cause
The content inspection with SSL decryption requires significant memory space.
Palo Alto Networks next-generation firewall has several features and capabilities, and all of the physical memory space for each model of Palo Alto Networks next-generation firewall are different. This means that all of physical memory space of Palo Alto Networks next-generation firewall is segmented to a pre-defined memory space for each of features and capabilities based on the hardware model range.
Large hardware model series firewalls (e.g., PA-5200 Series) have a high amount of available physical memory space compared to the small or medium hardware model series (e.g., PA-800 Series or PA-220), so large hardware model series firewalls have larger memory space allocated for each of features and capabilities, than the other hardware model series. Because of the background explained in the above, this symptom happens specific to PA-800 Series and PA-220.