Random issue with PDFs after upgrade to R80.40

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hi Checkmates,

We have encountered a very strange issue since upgrading to R80.40, the issue was not present on R80.30 but appeared immediately after the upgrade. We randomly cannot open PDFs on some HTTPS sites (cisco.com and undocs.org are 2 examples), when attempting to open the PDFs either in browser (Chrome, Edge or Firefox) or directly save them to disk results in an error which appears to be an SSL negotiation failure. The odd thing is that the issue is only present for PDFs and it's completely random, a PDF will open fine and then on the next refresh it fails. It seems to be about a 75% percent chance that it won't work and it makes no difference if the file is cached (eg had already worked at some point). Every other file type works without problem, this only occurs when accessing PDFs on some HTTPS sites.

For example

I just clicked this link:

https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-3...

And the PDF opened (after being scanned by Threat Emulation).

I then refreshed the page and it failed (error in browser is 'We can't open this file, something went wrong') on the next refresh it opens again and then fails the next 3 times and then works again.

When it fails, the error in dev tools is:

Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR

The same thing happens if I try to download the file without opening in the browser.

The same thing happens on this UN site:

https://undocs.org/en/A/75/5%20(Vol.%20I)

However in this case there is an option to get a Word copy of the document and that always works. Again the SSL issue only occurs for PDF documents, the sites themselves all work fine outside of that. We haven't had reports of any general SSL issues since moving to R80.40 and outside of this particular issue which I experienced myself directly after the upgrade on cisco.com, HTTPS inspection seems to work fine. Also I'm only aware of a handful of sites that we have the issue with, most sites with PDFs are fine.

The gateways are R80.40 with HFA 91 installed and most of the Threat Prevention blades enabled, the issue happens on both cluster members. There is nothing logged and I haven't debugged the WSTLSD daemon at this point, just wondering if anyone else has experienced this issue?

Cheers,

Gareth