Users cannot browse secure Web sites via WSS


Article ID: 221092


Updated On:


Web Security Service - WSS


Users are not able to connect to common Web Applications such as Google, OWA, Teams, Outlook via WSS

Traffic is going through Palo Alto IPSEC firewall into WSS using Trans-Proxy access method

Reports show that most requests from users experiencing this issue report a 'connect_method_denied' verdict

Problem only started last day or so


Palo Alto firewall dropping responses from WSS


Palo Alto firewall running version 8.1.12

IPSEC tunnel into WSS

PAC file pushed down to user to point to trans-proxy endpoint (



Upgrade to latest version of Palo Alto Firewall OS (this problem was caused by a bug in version 8.1.12).

Can workaround the problem on older Palo Alto code base by applying following Firewall command to disable the option that triggered the issue

set system setting ctd nonblocking-pattern-match disable

Additional Information

HTTP logs from WSS showed the 'connect_method_denied' verdict for all user request with time taken of 30 seconds. This 30 second timeout was triggered when the client failed to complete SSL handshake within that timeframe.

PCAPs from user showed that each CONNECT HTTP methods would fail to get a 200 'COnnection established' response from WSS; this would trigger resets but host would never see expected 200 status back. 

PCAPs from firewall showed it got the 200 status response back from WSS, but never got the expected TLS client_hello message that typically follows the connection stablishment.