We just went to Cisco Live and are also currently evaluating what an SDA deployment would look like and cost. That would move a lot of that off the firewall and back down in to the core where it belongs.
I'm also interested in their Stealthwatch product... from my understanding it seems to have the ability to do decrypted traffic anlaysis. It isn't a firewall so it won't block things it detects but I think it can hook in to a NAC solution to disable ports.
Part of the issue for us doing Netflow, and this would definitely be an issue with Stealthwatch and SDA, is that we have a lot of 2960-X switches on campus and they only do Netflow Lite.
It's the diet coke of Netflow... just one calorie, not Netflow enough.
I was at cisco Live as well. we might have been in the same room.
Those solutions are NOT cheap we got them quoted and was like WOW!
Yeah that's what I'm afraid of. Our SE is putting something together for us and we would almost definitely have to do a phased approach. They were saying at Cisco Live that it's a journey for sure.
What has sold us on it so far is the troubleshooting and monitoring. DNA Center has come a long way from Prime Infrastructure and it looks like it would help tremendously with support in our BYOD environments, including ResNet.
Can someone tell me how many PlayStation devices can run behind such a UPnP router? Does anyone have experiance with such environment?
We have a gaming office which has at least 20 PS4´s. Should this work with any UPnP router?
@ASU-NetworkTeam I was looking at this on my PS4 at home and noticed on my PA220 lab unit that the NAT type still shows as Type 3 Strict. My configuraton at home doesn't use a NAT pool.. it should be only using the single IPv4 address my ISP provides me. I believe I have it configured for DIPP.
Anything else you guys are doing that might be leading to the better NAT types? Did you mentioned you disabled oversubscription?
Yes we stop doing the active / active due to budget. PA has some really outrageous pricing for active / active. It basically doubles the bill and not worth it in my opinion. You would be better off upgrading to a more powerful unit and doing active standby for budget reasons from what I have seen.
We have Active Standby and use LACP to a cisco 4500X routers. It works great and you also have the option to have the standby unit in no shut to keep routing protocol active if needed for faster fail over. Unless you have a need for the active / active because of usage, you are fine changing to active / passive. You know your network better than anyone so don’t just take my word, but it is worth researching it.
We have also found that the newer units are much more powerful than our older 5020 and the renewals are much LESS but the upfront purchase cost is ridiculous. I guess PA going to make $$$ somehow. You would think for the amount of money we pay we could at least get USA support 100%. I get so sick of calling and spending an hour or more getting passed the language barrier and then the technical explanation, or someone in India who really does not care and trying to just get the ticket closed.
So I test everything this morning XBOX and ps4. Xbox reports OPEN and ps4 is type 2 and working. The students are happy so far. Also issues with facetime quality and other things are gone. Using NAT pool apparently is a bad idea in palo alto world.
So yes down to two options. Route public WAN addresses to the clients or NAT each subnet to a different WAN address to avoid oversubscription.
I will post screenshots here in a few of what we did
I'd be interested to find out if you're still running this solution the same way a year later. I've recently joined a team, and the current solution has been to set up a 1-to-1 private to public NAT per previous recommendations from Palo Alto on the topic. However, I don't see this as a long term solution as our userbase grows, and this is the first I've seen of a potential alternative solution. Additionally, similar issues present themselves with students who are PC gaming, and mapping them this way is not ideal at best. If NAT to a single IP for this special use case could resolve the issue, I'd see that as a usable approach.
Also, Are you still blocking all inbound with good results? Everywhere else I've seen says to open certain ranges of inbound ports but I've been dubious of how necessary it is.
Thanks for sharing this info! Really hope to find out some more about it.
Just found this topic as work in a University, and have started getting the same enquiries from students wanting to use Nintendo Switch. Our dynamic IP & port setup is resulting in a NAT Type D on their consoles. I had made the network dual-stack, and had optimistically hoped the gaming networks would be using IPv6 and thus avoid this issue, but it seems not...
Will probably go with the static NAT IP per private subnet idea and see how that goes.
@aceandy79I would be curious what your results are. I have a test unit at home and while I can't really set it up as true static NAT since I get a dynamic IP from my service provider, it is still only one IP it is using. I still see strict NAT on my home gaming devices.
Granted, it's entirely possible their port algorithms are set up differently for a true static IP configuration vs a Dynamic IP even though you're only ever getting the same IP.
I'd also encourage any Higher Ed or other entity supporting multiplayer gaming to contact your Palo Alto sales team and look into supporting Feature Request 7654. I put this in about 2 years ago asking for some DIPP NAT option to implement something like "sticky NAT" and/or to implement something closer to Cisco's ASA implementation for Port Address Translation (PAT). I was told by our sales team that these Feature Requests gain priority based on the number of customers that express the need for the specific feature.
There may be a better option than the one outlined in that specific FR but, one way or the other, I feel like we as a community can get together and express interest in something to get this fixed that doesn't involve using another vendor's product for gaming networks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!