Take Care When Applying Palo Alto Best Practices

This is a follow up from my other blog post – as I have found another issue with the best practices provided by Palo Alto, I thought I’d consolidate them in a single post.

HTTP Header Range Option

I’m going to copy this bit from my previous post:

It seems Windows Updates doesn’t play nice with Palo Alto best practices; specifically when it comes to range headers.

Palo Alto best practices state that you should block the HTTP range option for the following reason:

“The HTTP Range option allows a client to fetch part of a file only. When a next-generation firewall in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with a RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the firewall from triggering the same signature again due to the lack of context into the initial session, while at the same time allowing the web browser to reassemble the file and deliver the malicious content”

Turns out some legitimate applications require the HTTP Header Range option – WSUS being one I came across. If you see event logs similar to the below and have range headers blocked on your Palo then it’s probably because of that.

Event ID 364 – Content file download failed. Reason: The job is not making progress. The server may be misconfigured. Background Intelligent Transfer Service (BITS) will try again later
Event ID 10032 – The server is failing to download some updates.

PAN-OS > 7.1

You can find the setting here: Device > Setup > Content-ID > Content-ID Settings

PAN-OS < 7.1

CLI access is necessary.
To view the current configuration:

show deviceconfig setting ctd

If skip-block-http-range = no then range headers are being blocked.

To allow the HTTP Header Range Option then:

set deviceconfig setting ctd skip-block-http-range yes

Forward Segments Exceeding TCP out-of-order Queue

Occasionally I have noticed large downloads fail. Files that should take seconds to download would take minutes. Often times downloads would just stall indefinitely at some random point in the download.

I came across this issue from multiple download locations – the most prevalent being the Amazon S3 storage service.

The problem can occur if too many out-of-order packets arrive and exceed the TCP out-of-order queue limit of 64 per session on the Palo. If this happens the firewall will drop the out-of-order packets which can cause sessions (and downloads) to fail.

Enabling the Forward segments exceeding TCP out-of-order queue option may rectify the issue for you.

PAN-OS > 7.1

You can find the setting here: Device > Setup > Session > TCP Settings
Check the ‘Forward segments exceeding TCP out-of-order queue’ box.

PAN-OS < 7.1

CLI access is necessary.
To view the current configuration:

show deviceconfig setting tcp

Run the following to allow the firewall to forward out-of-order packets.

set deviceconfig setting tcp bypass-exceed-oo-queue yes