Since the upgrade to 11.1 it's noticed some websites do not load correctly or partially loads when web advertisement category is blocked
954
Created On 08/11/25 07:57 AM - Last Modified 11/15/25 00:13 AM
Symptom
• Websites load indefinitely when HTTP/2 traffic is enabled and the firewall should return a block page
• Webpage freezes on the request that is blocked
• Issue resolves when specific URL is manually blocked in browser developer tools
• Block page from firewall is received correctly when the blocked URL is accessed directly
• Issue reappears when blocked resource falls into URL categories other than "web-advertisements"
ERROR_LOGS
- HTTP 503 (Unavailable)
Environment
- Product_versions
- PAN-OS: 11.1.6-hx
- PAN-OS: 11.1.9
- Network Config
- Security policy
- Decryption Policy
- URL Filtering
- Strip ALPN is disabled
Cause
The root cause is a known issue identified as PAN-276920, which occurs when the firewall should be returning a block page for an HTTP/2 session but stalls the connection instead.
Resolution
- REMEDIATION_PLAN
- Upgrade to one of the following PAN-OS versions (or a later release): 11.1.6-h14, 11.1.10-h1, or 11.2.7.
- You can find the details in the official release notes:
- PAN-OS 11.1.6-h14 Addressed Issues https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-6-known-and-addressed-issues/pan-os-11-1-6-h14-addressed-issues
- PAN-OS 11.1.10-h1 Addressed Issues https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-10-known-and-addressed-issues/pan-os-11-1-10-h1-addressed-issues
Additional Information
- Enabling Strip ALPN on the decryption profile to convert HTTP/2 traffic to HTTP/1.1 resolves the issue for users.