Simultaneous file downloads are failing when using any security profile along with decryption on the security rule.

10945

Created On 04/11/22 04:53 AM - Last Modified 11/02/22 04:43 AM

Security Policy

Security Profiles

Decryption

10.0

10.2

10.1

Prisma Access

PAN-OS

Symptom

File downloads either fail or the downloaded files are corrupted and fail the CRC check.
The issue is usually observed when multiple files are downloaded simultaneously.
Disabling the SSL decryption fixes the issue
Keep the SSL decryption enabled but removing all the security profile from security rule also fixes the issue.
No Threat logs are generated for this issue and traffic is Not dropped by any security service or rule.

Strata firewalls running PanOS 10.0.x or above
Prisma Access running dataplane 10.0
Traffic is subjected to SSL decryption with the security rule having at least 1 security profile.

The issue is caused by an issue in the content decoder processing of the PanOS which results in the corruption of the downloaded file.

The issue is fixed by upgrading to the PanOS 10.0.10 / 10.0.9-h1 / 10.1.5 or 10.2.1 release.

Available workaround until the upgrade can be done:

Disable SSL decryption for the traffic/user impacted.
If that is not acceptable, Remove all the security profiles from the security rules the traffic matches.

The issue is usually observed when multiple files are downloaded simultaneously and the file size is larger than 100 MB.
Check the traffic/threat logs as well. If the download is blocked by a security policy or rule, this issue is Not applicable.