Unable to play a video on a URL even though the specific URL is being allowed through Firewall
33669
Created On 02/19/20 19:07 PM - Last Modified 01/05/21 02:45 AM
Symptom
- Unable to access a URL containing Video, when the associated Security Policy is attached to any of the Security Profiles(URL Filtering, AV, Anti-Spyware, etc).
- Video on the URL being played for a few seconds and then getting stopped often with a white blank screen.
- Video is successfully played without issues when the associated Security Policy does not contain any Security Profiles attached to it.
- Session End Reason is showing up as TCP-RST-from-client from the logs
- Packet captures revealing one of the below responses from the webserver side.
Environment
- PAN-OS 8.1 and above
Cause
- Whenever a session traffic matches a security policy that has the Security Profiles attached to it, the Firewall does the content-inspection.
- As per the setting on the Firewall under Device->Setup->Content-ID called "Allow HTTP partial response", the firewall allows a client to fetch only a part of file/response. By default, the Allow HTTP partial response is enabled. Disabling this option causes the firewall to terminate the TCP session with an RST packet.
Resolution
- Prior to the change, Refer to the documentation of "Allow HTTP partial response" under "Content ID settings".
- Enable the "Allow HTTP partial response" option by following the below.
- Navigate to Device->Setup->Content-ID->Content-ID Settings
- Click on the Gear Icon under Content-ID settings
- Click on the check-box for the option "Allow HTTP partial response" and click OK.
- Commit Changes
Additional Information
Note:
- Please keep in mind that this is a global setting and could affect all the traffic passing through the Firewall.
- Disabling this option can impact streaming media services, such as Netflix, Microsoft Updates, and Palo Alto Networks content updates.
- Prior to PAN-OS 8.1, this option was called Allow HTTP Header Range.