https://live.paloaltonetworks.com/t5/general-topics/help-with-network-design/m-p/92789#M43735 <P>So my network consists of a PA200, a Juniper SRX, 2 servers, a VOIP phone, and a WAP.&nbsp;</P><P>&nbsp;</P><P>I recently configured the PA-200 with 3 subinterfaces for the 172.16.2.1/24, 172.16.3.1/24, and 172.16.4.1/24 networks. The Juniper port was configured with as a trunk and allowed all these vlans across. The interfaces on the SRX were configured for the appropriate VLAN and all of them could hit their respective .1 IPs on the Palo.&nbsp;</P><P>&nbsp;</P><P>Here's my issue. Traffic was UNBEARABLY slow. Connectivity was there but web traffic was often not fast enough to actually connect to the webpage.</P><P>&nbsp;</P><P>The Palo was configured as bare bones as possible. An Allow all policy, a single NAT for internet, one trunk interface to the switch and one internet facing link, one virtual route, and no features applied to the interface.</P><P>&nbsp;</P><P>This is a very standard design, and one I've actually implemented at client sites, but I must be missing something here.&nbsp;</P><P>&nbsp;</P><P>I'm just looking for simple design pointers to get the switch and palo configured correctly.</P> Tue, 28 Jun 2016 00:45:26 GMT Zolson1 2016-06-28T00:45:26Z https://live.paloaltonetworks.com/t5/general-topics/help-with-network-design/m-p/92789#M43735 <P>So my network consists of a PA200, a Juniper SRX, 2 servers, a VOIP phone, and a WAP.&nbsp;</P><P>&nbsp;</P><P>I recently configured the PA-200 with 3 subinterfaces for the 172.16.2.1/24, 172.16.3.1/24, and 172.16.4.1/24 networks. The Juniper port was configured with as a trunk and allowed all these vlans across. The interfaces on the SRX were configured for the appropriate VLAN and all of them could hit their respective .1 IPs on the Palo.&nbsp;</P><P>&nbsp;</P><P>Here's my issue. Traffic was UNBEARABLY slow. Connectivity was there but web traffic was often not fast enough to actually connect to the webpage.</P><P>&nbsp;</P><P>The Palo was configured as bare bones as possible. An Allow all policy, a single NAT for internet, one trunk interface to the switch and one internet facing link, one virtual route, and no features applied to the interface.</P><P>&nbsp;</P><P>This is a very standard design, and one I've actually implemented at client sites, but I must be missing something here.&nbsp;</P><P>&nbsp;</P><P>I'm just looking for simple design pointers to get the switch and palo configured correctly.</P> Tue, 28 Jun 2016 00:45:26 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-network-design/m-p/92789#M43735 Zolson1 2016-06-28T00:45:26Z https://live.paloaltonetworks.com/t5/general-topics/help-with-network-design/m-p/92946#M43742 <P>Try lookig at the global counters to see if something odd surfaces (extreme amount of fragmentation maybe?)</P> <P>&nbsp;</P> <PRE>&gt; show counter global filter delta yes</PRE> <P>next you could try setting the interface speed and duplex statically on all connected devices and switch</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 28 Jun 2016 07:42:26 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-network-design/m-p/92946#M43742 reaper 2016-06-28T07:42:26Z https://live.paloaltonetworks.com/t5/general-topics/help-with-network-design/m-p/93249#M43775 <P>Is the SRX doing any sort of filtering? Are you double natting? ie doing NAT on the juniper and the PAN?&nbsp;</P><P>&nbsp;</P><P>Sounds like you are using the SRX as a switch? Hopefully L2 only? clients/servers are using the PAN as their gateway?</P><P>&nbsp;</P><P>The fact that its working at all indicates asymetric routing is not the issue (i.e client &gt; juniper &gt; PAN &gt; Internet &gt; PAN &gt; client - so not returning to the client via the Juniper), but can you confirm the L3 flow is (client &gt; PAN &gt; Internet &gt; PAN &gt; client)?</P><P>&nbsp;</P><P>&nbsp;</P><P>Is performance slow for traffic other than web browsing?</P><P>&nbsp;</P><P>A common issue I see with web browsing performance issues specifically is using DNS servers separate to the ISP-provided ones. Any changes in this space?</P><P>&nbsp;</P> Tue, 28 Jun 2016 21:34:38 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-network-design/m-p/93249#M43775 ShannonRowe 2016-06-28T21:34:38Z