Enabling the explicit proxy on the Palo Alto firewall causes some sessions to be reset, leading to inconsistent traffic drops.

Enabling the explicit proxy on the Palo Alto firewall causes some sessions to be reset, leading to inconsistent traffic drops.

452
Created On 05/16/25 13:10 PM - Last Modified 10/21/25 09:27 AM


Symptom


  • Explicit Proxy enabled on the Firewall
  • Inconsistent traffic drops affecting specific TCP streams
  • Traffic flows are visible in packet capture but not in firewall logs
  • Same source/destination traffic is allowed in some sessions and dropped in others

LOG_SIGNATURES

  • TCP reset (RST) from the proxy server after approximately 15 seconds without upstream interface initiation
  • Missing entries for dropped sessions in firewall traffic logs
tcp.port == 59180 ( Not working ), we se
[21871][debug][filter] [source/extensions/filters/listener/original_src/original_src.cc:21] Got a new connection in the original_src filter for address &client-IP:59180. Marking with 123, 16 << client IP and Src.port.
[21871][trace][filter] [source/extensions/filters/listener/http_inspector/http_inspector.cc:182] Mark parse status as true final_seg false << false for final segment, where it should be true since there are no more chunks coming.

 

PACKET_CAPTURES

Captures on the listening interface showing the below: ( the protocol might differ, in this example it's PKIX Time stamp protocol )

Environment


  • Palo Alto VM based Firewalls
  • Palo Alto HW based Firewalls
  • PAN-OS 11.1.x
  • Explicit Proxy

Cause


  • The HTTP inspector in the Palo Alto Networks firewall fails to identify the standard "\r\n\r\n" sequence in HTTP requests when data arrives in a single packet or combined chunks.
  • Some protocols, like OCSP and the PKIX timestamp protocol, do not inherently include this marker, causing the proxy to incorrectly terminate sessions with a TCP reset.
  • The issue is recognized as a software issue, and the fix is in the following releases and above: 
    11.2.7, 11.2.8, 12.1.2, 11.1.11, 11.1.10-h1, 11.1.6-h13, 11.2.4-h10, 11.1.4-h21

Resolution


  1. The issue is fixed under PAN-275047.
  2. Upgrading the PanOS version to 11.1.11 or 11.2.7 (or higher) will fix the issue.
  3. The workaround is to bypass the proxy until the upgrade for the problematic traffic.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNDVKA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail