topic New PA user and currently concerned in General Topics

New PA user and currently concerned

Alex_Samad — Tue, 25 Jul 2017 21:52:54 GMT

I am a new PA user, purchased a pa-850 and 2 x PA5220's

Adding these to my OSPF network, i have setup a policy "network protocols" that allows OSPF.

But for some reason in my log, I get OSPF time out session and aged out sessions and sessions that have 0 bytes.

So I contact support. after 2-3 weeks, they bring it up in their lab and I am told this is normal behaviour.

If its normal why do they need to lab it up, it should be in the documentation yes

Also for a next gen FW that doesn't understand OSPF, wow...... I am really reconsidering my choice in PA...

So is this standard for OSPF connections.

To be clear I believe the OSPF connection is okay, atleast from my other routers point of view, its just the way that the PA are logging it, I believe I haven't as yet put them into any situation where they could cause a problem ...

Re: New PA user and currently concerned

TranceforLife — Wed, 26 Jul 2017 06:58:56 GMT

Hi,

Aged-out is fine because OSPF doesn't use TCP, it is standalone (own) protocol. Can you please post detailed (magnifying glass) log view.

Re: New PA user and currently concerned

TranceforLife — Wed, 26 Jul 2017 08:42:11 GMT

Also if you will check session browser tab, and filter based on the OSFP app, what can you see. I think it is something to do with the device own session. For instance, l am running an IPSec VPN that terminates on the PA, l also cannot clear this session as well as my counters 0 bytes:

EDIT: I'm not sure, though, if this is the case with OSPF

Re: New PA user and currently concerned

BPry — Thu, 27 Jul 2017 15:59:17 GMT

@Alex_Samad,

I'm guessing that you worked soley with level 1 TAC, which will take a while to actually accomplish much of anything and likely weren't familiar with OSPF installations. I would recommend you only let front-line support hold a case for a day, after that tell them to hand you up a tier. Personal experiance has told me that the first person you are going to get into touch with through TAC isn't going to know much about the product. Don't get me wrong, some of those guys actually are great, but Palo Alto has had to grow that team so much that a lot of them are quickly moved into tier 2 and tier 3 roles and then get passed off to other departments; sadly this means that tier 1 has decreased in recent years in their knowledge of the product.

The good news is from talking with plenty of people internal to the company they are desperatly trying to stop the tier 1 hemorage of knowledge. So they are at least trying to address the issue.

Re: New PA user and currently concerned

Remo — Thu, 27 Jul 2017 18:40:47 GMT

@BPry

It is possible to force a TAC case to be moved to level 2 or 3 after one day? Do you simply need to say "please move the case to the next level" or how does this has to be done? Over your SE?

Re: New PA user and currently concerned

BPry — Thu, 27 Jul 2017 18:46:52 GMT

@Remo,

I wouldn't say it's as simple as saying 'please move the case to the next level' but more of an 'I think this needs to go to the next level, I think this is above your head' type of thing. I haven't had anybody say no at this point, although I have had to repeat it with a little more force to get the point across. I'm not sure what TACs actual protocol is to escalate a case.

I wouldn't do this for a simple question after only a day but if it stretches out to a few days, or better yet it actually effects my users, I'm getting escalated one way or another. I'm not sure how TAC is actually graded as far as the individual is concerned, but I've connected with a few TAC techs that wanted to hold onto a case for far to long before I actually brought up escalating directly with them.

Re: New PA user and currently concerned

TranceforLife — Thu, 27 Jul 2017 20:47:47 GMT

I usually ask through the portal: Please, can we escalate this case :D.

But again it all depends on the actual issue and if you think that the conclusion was wrong or you need a bit more info, you can escalate. Most of the time, 98%, engineers are very good (EMEA TAC). 1,5 year working in the support I did escalate only twice.

Re: New PA user and currently concerned

BPry — Thu, 27 Jul 2017 21:10:05 GMT

@TranceforLife,

You said the magic words of EMEA though 😉

Re: New PA user and currently concerned

TranceforLife — Thu, 27 Jul 2017 21:12:22 GMT

Not sure where are you based (guess US), but US TAC didn't show me a good example of the support.

Re: New PA user and currently concerned

Alex_Samad — Thu, 27 Jul 2017 22:57:06 GMT

My current experience hasn't been the best.

OSPF - OKay I can accept that the Firewall can't undersstand OSPF in regards to policies - that seems like a major defect to me. Why do I pay so much for a system that ....

as for support - I have had a Global Protect issue, that I have asked to be escaled - 3 or 4 times and I am still stuck with the same person. Not getting any where.

If this had happened during my POC, I would have looked else where.

I have had some good experiences.

But a lot of them the web ex session are people randomly clicking on things, lets try this and see what happens and then lets try this.

Not sure if it makes me feel better to hear others are having same issues or worse !

Re: New PA user and currently concerned

BPry — Fri, 28 Jul 2017 12:52:04 GMT

@Alex_Samad,

If your not being escalated when your asking I would ask to speak with their manager; additionally bring your SE and your account manager into the mix. In my experiance you won't get good GlobalProtect support until you get escalated. Tier 1 can get really frustrating to deal with at times, especially when they want to commit something while I already have other changes pending or want to make a major adjustment during the middle of the day.

Re: New PA user and currently concerned

TranceforLife — Fri, 28 Jul 2017 12:53:57 GMT

Wow. I cannot believe this is all done or can be done by Palo TAC...............

Re: New PA user and currently concerned

BPry — Fri, 28 Jul 2017 14:56:39 GMT

@TranceforLife,

From what I've been told from fellow PA users EMEA TAC is a completely different experiance and generally much better then what we currently see stateside.

Re: New PA user and currently concerned

Alex_Samad — Sun, 30 Jul 2017 01:36:06 GMT

Wow , good and bad to hear I guess

I have tried the escaltion path again

Thanks

Alex

Re: New PA user and currently concerned

fjwcash — Tue, 01 Aug 2017 20:44:48 GMT

OSPF doesn't get logged as traffic, as it happens outside (or, maybe "below") the scope of the firewall engine. This is all handled in the routing functions, which happen before traffic reaches the firewall engine. However, it does get logged under System, where you can filter on "ospf", to see what it's doing. Monitor tab --> System. And there's CLI commands that can be run to display all kinds of OSPF info.

This tripped us up last week when we implemented our first OSPF setup from scratch, and nothing worked. 🙂 There's a lot of dialogs, sub-dialogs, and checkboxes that need to be filled in correctly before it all starts to work. And multiple different places that interfaces need to be associated with the OSPF stuff. But, the logs are there, and once you figure out where the information is stored in the Virtual Router configuration, it does start to make sense.

I've never used an actual routing protocol before, and I was able to get a PA-200 talking to a PA-3020 via OSPF, distributing it's IPs and subnets successfully across our internal fibre network and across our Telus MPLS links to remote PA firewalls. 🙂

One thing I've noticed with PA firewalls is that "the normal way" of thinking about firewalls and routing doesn't really apply. But once you wrap your head around "the PA way" of thinking, it all starts to make a lot of sense. We came from a FreeBSD firewall / router setup, with some Linux firewalls mixed in (so all layer 2/3 filtering) and found the PA firewalls to be a pain to work with initially. But, once we moved away from the strict-L3 packet filtering mindset, we figured out how to make the most of the features offered. Now, if only they'd drop the price ... 😉 🙂

Re: New PA user and currently concerned

Alex_Samad — Tue, 01 Aug 2017 21:36:26 GMT

I have to dissagree, I am seeing OSPF traffic in my traffic log, which is why I brought it to the tac attention.

I get that the PA is different, but I would presume that a next gen system, that has all this smarts in it would atleast understand the OSPF protocol.

A session should easily be follow, the OSPF deamon seems to be able to do it.

Having said that, the OSPF network does seem to be stable my adjancy stats show long periods of time.

Re: New PA user and currently concerned

fjwcash — Tue, 01 Aug 2017 22:38:04 GMT

Where/how are you seeing OSPF entries in the Traffic log? Do you have Security Policies in place to allow OSPF traffic, or something?

All of our PA firewalls are confgured to use OSPF for routing, but none of them have Security Policies for allowing OSPF traffic (with default deny enabled), and none of them show OSPF entries in the Traffic log. The only entries are in the System log.

We're running PanOS 6.1.x, so things may be different in newer versions.

Re: New PA user and currently concerned

Alex_Samad — Tue, 01 Aug 2017 23:12:15 GMT

Yes I do have policies in place..

Thats interesting, i could see that happening.

Now I need to test this some how... sigh..

Re: New PA user and currently concerned

Alex_Samad — Thu, 03 Aug 2017 20:43:45 GMT

So i tested and when i removed the policies it stop the OSPF from creating neighour association with the other routers

Re: New PA user and currently concerned

jvalentine — Thu, 03 Aug 2017 21:26:46 GMT

Palo Alto Networks firewalls have 2 implicit/default security rules that are always at the end of the policy. In recent PAN-OS versions, they are highlighted in yellow and can be modified. In older PAN-OS versions, they are not visible. In all cases, their behavior can be overridden by adding explicit firewall rules above.

the default intrazone-default rule permits traffic within the same zone, without logging or security profiles.

intrazone means "within the same zone". This rule permits "trust" to "trust" traffic. If you're running OSPF on the inside of your network, and the firewall is participating in OSPF, the source of the OSPF traffic is trust, and the destination is also trust. This traffic matches the intrazone-default rule WITHOUT LOGGING. So if you're running OSPF and not seeing logs, that's why.

If you'd like to see logs for OSPF traffic, you have a few choices:

1.) create an explicit security policy that permits OSPF from trust to trust, with logging.

2.) create an explicit security policy that permits all trust to trust, with logging

3.) modify the implicit/default intrazone policy and enable logging.

The last rule is the interzone-default rule, which means "between different zones". This rule denies all traffic between zones, without logging.

If your 3rd-to-last security rule is "deny any any with logging", that will override both of the implicit/default rules. This breaks OSPF, BGP, IPSEC, SSLVPN, Captive Portal, etc. and anything else that is to/from the same zone. I believe this is the main reason why Palo Alto Networks made those implicit rules visible and editable.