403 forbidden response is seen from explicit proxy when client request an upgrade to WebSocket

• Client receives 403 forbidden error from proxy during connect stage
• Connection tries to establish a WebSocket connection and proxy fails the upgrade

ERROR_LOGS

• HTTP response code sent by the proxy: 403 forbidden
• upgrade_failed

LOG_SIGNATURES

[2025-05-22 13:33:30.582][21872][debug][filter] [source/extensions/filters/listener/original_src/original_src.cc:21] Got a new connection in the original_src filter for address $client-IP:$Src.port. Marking with 123

[2025-05-22 13:33:30.582][21872][trace][filter] [source/extensions/filters/listener/pan_auth/pan_auth.cc:825] recognize a single CRLF as a line terminator:
CONNECT x.x.com:80 HTTP/1.1
Host: x.WebSocket-capable[.]com:8080

[2025-05-22 13:33:30.583][21872][debug][filter] [source/extensions/filters/listener/pan_auth/pan_auth.cc:934] Send : HTTP/1.1 200 OK

[2025-05-22 13:33:30.589][21872][debug][conn_handler] [source/server/active_tcp_listener.cc:331] [C137645768] new connection from $client-IP:$Src.port 

[2025-05-22 13:33:30.589][21872][trace][http] [source/common/http/http1/codec_impl.cc:483] [C137645768] completed header: key=Connection value=upgrade <<<<< Request to upgrade

[2025-05-22 13:33:30.589][21872][trace][http] [source/common/http/http1/codec_impl.cc:483] [C137645768] completed header: key=Upgrade value=websocket   <<<<< Upgrade to websocket

[2025-05-22 13:33:30.589][21872][info][http] [source/common/http/filter_manager.cc:909] [C137645768][S10006081585881617050] Sending local reply with details upgrade_failed <<<< the upgrade failed, as our proxy doesn't support WebSocket.


Proxy resetting the connection:
2025-05-22 13:33:30.589][21872][debug][http] [source/common/http/conn_manager_impl.cc:1455] [C137645768][S10006081585881617050] encoding headers via codec (end_stream=true):
':status', '403'     >>>>>>>> 403 sent
'date', 'Thu, 22 May 2025 11:33:30 GMT'
'connection', 'close'


[2025-05-22 13:33:30.589][21872][trace][connection] [source/common/network/connection_impl.cc:474] [C137645768] writing 101 bytes, end_stream false
[2025-05-22 13:33:30.589][21872][debug][http] [source/common/http/conn_manager_impl.cc:204] [C137645768][S10006081585881617050] doEndStream() resetting stream
[2025-05-22 13:33:30.589][21872][debug][http] [source/common/http/conn_manager_impl.cc:1505] [C137645768][S10006081585881617050] stream reset

Packet Captures

Product_versions

• Any that supports Explicit proxy. 

Network Config

• Explicit proxy

Hybrid-SWG does not support WebSocket upgrades during connection to the Palo Alto Networks proxy, causing the firewall proxy to send a 403 forbidden error, resetting the connection.

REMEDIATION_PLAN

•  Engineering is considering implementing WebSocket capability on our Explicit proxy.