PAN-OS 8.1.0 SMB Issues

Reply

Re: PAN-OS 8.1.0 SMB Issues

We have two 3050 's in ha configuration
L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

We have a pair of PA-5060s, and were seriously affected.  Everyone using SMB was unable to do any work for 8 hours. 

L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

Re: Application Override to resolve PAN OS 8.1.0 SMB Issues

 

Does this apply to environments where the Palo Alto firewall provides routing to the local LAN and IPSEC tunnels to remote LANs on internal trusted interfaces where no Security or NAT policies are programmed?

 

If so, which applications need to be overridden to work-around this bug?

 

This is a devastating issue when it occurs.

 

Our work-sround has been to switch the active and passive roles of 2 PA-500 firewalls to reset the routing. This restores LAN and IPSEC tunnel routing for SMB but only works until the problem returns.

L3 Networker

Re: PAN-OS 8.1.0 SMB Issues

The problem should be fixed with 8.1.1 which is scheduled to be released by the end of April. The issue ID is PAN-93016.

 

Thanks.

Jacopo

Highlighted
L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

We ran into this issue as well.  I'm really surprised this wasn't noticed during testing.  Creating the application override solved the problem.

L7 Applicator

Re: PAN-OS 8.1.0 SMB Issues

@SamKear,

It was noticed during testing and we all pretty much chopped it up to the SMBv3 improvements that allow additional threat detection and file identification capabilities that were added into 8.1. I think we were all just under the impression that it wasn't something that would make it into the actual release. 

L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

I agree. SMB is a core service and breaking it is a show-stopper. We use our firewalls as our LAN routers, and this issue resulted in intermittent collapse of SMB across our LAN subnets and across our IPSEC tunnels, totally disrupting our network operations. We discovered that we could temporarily "reset" SMB by forcing an active-passive firewall failover. SMB would work again for a few days until the next recurrence.

 

We did the application-override but it was useless since we do not apply any policies on our internal routing (intrazone).

 

When we learned that ther wasn't going to be a hot fix and that the next version of PAN-OS 8.1.1 would not be until the end of April, we decided to roll back all of our firewalls to 8.0.8. 

 

It was also surprising that Palo Alto did not bother to respond to our ticket on this issue. 

L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

I hope this issue has caused an internal investigation to be opened into how a critical bug made it into a GA release, so hopefully it will never happen again.

L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

Is there a sample of how ya'all did the App-override and made it work?

L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

This is what we tried, but it didn't work since our issues were with the Virtual Router for internal routing.

 

SMB Application Override

Policies / Application Override

  Add
    General
      Name: SMB L7 Inspect Exclude
      Description: To improve SMB performance, Layer 7 inspection is excluded.
    Source
      Source Zone: L3-trust
      Source Address: Any
    Destination
      Destination Zone: L3-trust
      Destination Address: Any
    Protocol/Application
      TCP
      Port 445,139
      Application: ms-ds-smb

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!