Getting different page when we access the ChatGPT, while connected to Palo Alto GP VPN.
On same machine we can access it without any issue.
Checked the MTU of the adapter 1400
Wireshark capture shows some error related to decryption failing, and it uses protocol QUIC.
When its working it uses protocol is UDP
I recently had an issue where users were unable to access ChatGPT due to a CDN it uses being a newly registered domain which we block with URL filtering.
You probably have SSL decryption issues.
Apparently your VPN subnets are not included in your SSL decryption policy that’s why you were able to connect.
You may want to exclude ChatGPT website in your decryption policy.
That’s because our security guy ordered me to block ChatGPT… And also QUIC traffic since we can’t decrypt it like SSL.
Something about IP governance… yada yada…
/s
THANKS for the CLUE! With the clue - I was able to go into my PAN and put an exemption for cdn.oaistatic.com in the Anti-Spyware / DNS EXCEPTIONS. Once I did this - chat.openai.com started working!!! Here is the FAQ from PAN that walks you through it!!
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCjYCAW
we block with URL filtering
Do we need to block this CDN “cdn.oaistatic.com” ? or permit in url filtering ?
Or in DDOS profile ?
I had read this in PA KB doc, but how come it will affect. The traffic doesnt even goes to FW. ChatGPT traffic goes to local internet, because we have configured the split tunnel and allowing on internal traffic to tunnel.
I am glad it worked for you.
I didnt thought for creating exception, since with same Anti-Spyware profile it was working for other locations. But just now I created exception and its started working.
Thanks you!
Above fix worked for me also
In my case, I had to add the DNS exception and also add the URL the the allow list.
The URL-Filter and Anti-Spyware where involved.
You need to permit that url if you’re blocking the “newly registered domains” category elsewhere.
If you are split tunneling, then GP has no influence on the traffic.
The Support of the Community!!
Cheers!
FYI that was fixed a couple of days ago for the cdn url. I submitted it for recategorization, and to my surprise it was changed almost immediately.
Good stuff thank you