Users cannot browse secure Web sites via WSS

book

Article ID: 221092

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users are not able to connect to common Web Applications such as Google, OWA, Teams, Outlook via WSS

Traffic is going through Palo Alto IPSEC firewall into WSS using Trans-Proxy access method

Reports show that most requests from users experiencing this issue report a 'connect_method_denied' verdict

Problem only started last day or so

Cause

Palo Alto firewall dropping responses from WSS

Environment

Palo Alto firewall running version 8.1.12

IPSEC tunnel into WSS

PAC file pushed down to user to point to trans-proxy endpoint (199.19.250.205:80)

 

Resolution

Upgrade to latest version of Palo Alto Firewall OS (this problem was caused by a bug in version 8.1.12).

Can workaround the problem on older Palo Alto code base by applying following Firewall command to disable the option that triggered the issue

set system setting ctd nonblocking-pattern-match disable

Additional Information

HTTP logs from WSS showed the 'connect_method_denied' verdict for all user request with time taken of 30 seconds. This 30 second timeout was triggered when the client failed to complete SSL handshake within that timeframe.

PCAPs from user showed that each CONNECT HTTP methods would fail to get a 200 'COnnection established' response from WSS; this would trigger resets but host would never see expected 200 status back. 

PCAPs from firewall showed it got the 200 status response back from WSS, but never got the expected TLS client_hello message that typically follows the connection stablishment.

Attachments