Users cannot browse secure Web sites via Cloud SWG
Article ID: 221092
Updated On:
Products
Issue/Introduction
Users are not able to connect to common Web Applications such as Google, OWA, Teams, Outlook via Cloud SWG (formerly known as WSS).
Traffic is going through Palo Alto IPSEC firewall into Cloud SWG using Trans-Proxy access method.
Reports show that most requests from users experiencing this issue report a 'connect_method_denied' verdict,
Problem only started last day or so,
Environment
Palo Alto firewall running version 8.1.12
IPSEC tunnel into Cloud SWG
PAC file pushed down to user to point to trans-proxy endpoint (199.19.250.205:80)
Cause
Palo Alto firewall dropping responses from Cloud SWG
Resolution
Upgrade to latest version of Palo Alto Firewall OS (this problem was caused by a bug in version 8.1.12).
Can workaround the problem on older Palo Alto code base by applying following Firewall command to disable the option that triggered the issue
set system setting ctd nonblocking-pattern-match disable
Additional Information
HTTP logs from Cloud SWG showed the 'connect_method_denied' verdict for all user request with time taken of 30 seconds. This 30 second timeout was triggered when the client failed to complete SSL handshake within that timeframe.
PCAPs from user showed that each CONNECT HTTP methods would fail to get a 200 'Connection established' response from Cloud SWG; this would trigger resets but host would never see expected 200 status back.
PCAPs from firewall showed it got the 200 status response back from Cloud SWG, but never got the expected TLS client_hello message that typically follows the connection establishment.
Feedback
