PaloAlto L7 Inspection breaking communication between forwarder and server

Hi @all,

for your information.

Last week we had a total communication breakdown between a forwarder located in a DMZ an d a graylog server. Communication suddenly stopped, no obvious changes had been applied to the systems involved.

We are using Forwarder 4.8, graylog server 4.1.14. running on CentOS7,
the forwarder being located inside a DMZ, the server located in a server LAN. Between both a PaloAlto Firewall is taking care of the traffic.

Forwarder logs showing lines like:
“2022-06-09T12:04:13.316+02:00 ERROR [ControlClient] Unable to send Configuration request to Graylog. [Code= Description= Cause=<> RootCause=<>].”

tcp dumps show the forwarder starting a proper tcp connection, but the answers it gets back from the graylog server are looking strange.

Investigations led to the conclusion that a dynamic update of PaloAlto’s L7 inspection rules messed things up. The latest L7 rules are still showing this behaviour (Prior to this everything had been working fine for almost 2 years).

Therefore we decided to bypass L7 inspection for all graylog communication through PaloAlto to get things working again.

Hope this information is somewhat useful for the community.



Yes ,and thank you for posting this :+1:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.