For a few weeks, our PlayStation stopped downloading game updates. I figured it was just a temporary issue with the PS4. Since it didn’t affect me directly but only the kids, I didn’t pay much attention at first. I planned to wait for a firmware update from Sony. When such an update eventually came but didn’t solve the issue, I started getting suspicious – especially when I found almost no relevant results online for the official error code, which reads “(HTTP Status Code : 416) (CE-40862-0)”.
After conducting further detailed searches, I finally came across a post in the Palo Alto Networks LIVEcommunity. That definitely caught my attention. If there’s one thing that sets my home network apart from most “normal” households, it’s the fact that I have a Palo Alto firewall running – not your average consumer-grade router. 😂
A real screenshot of the error message. More details about HTTP 416 are here. Unfortunately, the CE-40862-0 error is not listed on any official Sony PlayStation webpages.
The LIVEcommunity article pointed me to a setting under Device → Setup → Content-ID → Content-ID Settings: “Allow HTTP partial response.”
Indeed, I had unchecked that box a few weeks earlier. Why? Because while working on best practices for our Palo Alto landscape, we discussed this option and concluded that blocking partial HTTP responses shouldn’t be a significant issue – modern browsers surely handle those things.
Well… not quite. ;) Turns out the PlayStation relies on exactly this feature to download updates via HTTP (yes, plain unencrypted HTTP – I’m not even using TLS interception here). I probably wouldn’t have figured it out on my own if I hadn’t found that community post. I enabled that checkmark, and the updates are working again. (Using a PA-440 with PAN-OS 11.2.9.) Thank you, Internet! Luckily, I was able to explain to my kids that enabling this option on the Palo Alto firewall was ultimately for their own security. 😂
As a network engineer, I naturally captured the faulty connection from the PS4 (before re-enabling the option) with help from the ProfiShark. Here are two Wireshark screenshots of such a failed connection: (Wireshark Version 4.6.0)
Follow HTTP Stream:
And here are more details from the Palo Alto firewall. Apparently, the following counter is responsible for this type of HTTP range request: ctd_http_range_response
You can view it via CLI like this:
|
1 2 |
weberjoh@pa-home> show counter global | match range ctd_http_range_response 39376 0 info ctd system Number of HTTP range responses detected by ctd |
Monitoring this counter (in my case via Checkmk, Raw Edition 2.4.0p11, custom API integration) looks like this. You can clearly see the peaks when the PlayStation tries to pull updates. Same for the time period during which I had the option disabled on the Palo. :)
Final note: Yes, a better approach to omit this problem rather than allowing “HTTP partial responses” globally would be an Application Override policy as recommended by PANW. But I was too lazy since I’m talking about my home network here. ;)
Soli Deo Gloria!
Photo by Brett Jordan on Unsplash.
That’s a nice one, thanks for sharing! :)
I’m curious – how are you able to use a PA at home ? I am wanting to do the same thing but am finding it hard to find them to purchase. Any pointers where to buy a PA for home use ?
Yep, unfortunately, that’s a common problem. You cannot get Palos that easily on the 2nd-hand market or the like. And even if they still cost around 1000,- €.
If you’re using a Palo at work (and if you are employed as a network security engineer), you might ask your boss for a LAB or NFR unit, which are much cheaper.
I don’t have any other advice for you. :( I’m sorry.