Hello all, My company I work for uses Palo Altos GlobalProtect VPN which has been working fine since i’ve been here until now. Pretty much one by one every day of the week another person working remote can’t load websites on Chrome but it works fine on Edge. I’ve had them delete cookies and cache, delete and reinstall Chrome and nothing has worked. Some people couldn’t connect to sharepoint.com while connected to the vpn but when they disconnected it would work perfectly fine, which leads me to believe this is a firewall issue, but we haven’t changed anything recently? Has anyone experienced this and does anyone have recommendations to fix?
Also to note i’ve tried replicating this on my laptop by connecting to my hotspot and then connecting to the vpn and it works fine for me, so this is only happening to a select few.
and i meant websites* the main problem is some of our internal sites won’t load but some can’t even get sharepoint to load
Usually when Edge works but Chrome doesn’t, it’s the quic app-ID. I think the browser is supposed to fall back to TLS, but if you can validate the traffic logs for a session where a user tried to hit a site in Chrome and can’t get to it, see if the app is quic. The action may be deny / drop in a policy it’s hitting for that App-ID.
Seems strange to me that Edge works as it’s a Chromium-based browser. If you are not using split tunnel, have you ruled out DNS? It could be possible that Chrome is trying to do DNS over HTTPS and that might be getting blocked.
I’ll try to guess, maaaaybe a problem with the certificate? But it would be strange too because I think they have the same policy for it, if Firefox is the only one that doesn’t work so it can be.
It would be usefull to have a packet capture from the computer when he try to open the portal from both Chrome and Edge, so you can check when it get stuck.
We have the exact same behavior. But we also have users where it works.
QUIC was my guess too. Guessing this is one of those times that desktop guys and the network guys are not on the same page. The network/infosec guys are probably not going to allow quic so it will be on the software/desktop guys to turn it off. Google can take it’s quic and eff right off.
Hello, have you found a fix for this? Ive narrowed it down to users on version 117 are experiencing this and users that havent updated work perfectly fine
It’s this I’ve been seeing an uptick in these types of issues. The Palos are classifying quic as a threat and blocking it. We have a whitelist setup under URL to address it.
Hello! Were you able to find a fix? I am having a similar problem.
Blocking it should be fine as long as you’re Denying it and not Dropping it. Deny will tell the browser which should then fall back to normal.
I did find a fix for me however I can’t remember the exact specifics, but i was able to access our firewall and it was showing the traffic being dropped by one of the default policies on Palo Alto called Protocol Anomalies(or something similar) and we had to exclude the protocol that was being dropped and it started working.