Re: Application Override to resolve PAN OS 8.1.0 SMB Issues
Does this apply to environments where the Palo Alto firewall provides routing to the local LAN and IPSEC tunnels to remote LANs on internal trusted interfaces where no Security or NAT policies are programmed?
If so, which applications need to be overridden to work-around this bug?
This is a devastating issue when it occurs.
Our work-sround has been to switch the active and passive roles of 2 PA-500 firewalls to reset the routing. This restores LAN and IPSEC tunnel routing for SMB but only works until the problem returns.
It was noticed during testing and we all pretty much chopped it up to the SMBv3 improvements that allow additional threat detection and file identification capabilities that were added into 8.1. I think we were all just under the impression that it wasn't something that would make it into the actual release.
I agree. SMB is a core service and breaking it is a show-stopper. We use our firewalls as our LAN routers, and this issue resulted in intermittent collapse of SMB across our LAN subnets and across our IPSEC tunnels, totally disrupting our network operations. We discovered that we could temporarily "reset" SMB by forcing an active-passive firewall failover. SMB would work again for a few days until the next recurrence.
We did the application-override but it was useless since we do not apply any policies on our internal routing (intrazone).
When we learned that ther wasn't going to be a hot fix and that the next version of PAN-OS 8.1.1 would not be until the end of April, we decided to roll back all of our firewalls to 8.0.8.
It was also surprising that Palo Alto did not bother to respond to our ticket on this issue.
I hope this issue has caused an internal investigation to be opened into how a critical bug made it into a GA release, so hopefully it will never happen again.
This is what we tried, but it didn't work since our issues were with the Virtual Router for internal routing.
SMB Application Override
Policies / Application Override
Name: SMB L7 Inspect Exclude
Description: To improve SMB performance, Layer 7 inspection is excluded.
Source Zone: L3-trust
Source Address: Any
Destination Zone: L3-trust
Destination Address: Any
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!