I have this really weird issue and I don't know how to solve it. I noticed it when I first migrating from Checkpoint over to PaloAlto while doing verification in my Development environment.
- A PAN 5050 running 8.1.15 hotfix 3. I have a CentOS host (LinuxB) behind the PAN and another CentOS host (LinuxA) outside the PAN. FW rule is any any allow between these two host and the rule is at the top of the rulebase and nothing else. The PAN firewall is managed by Panorama, The interface on the PAN is VLAN tagging on a single physical interface,
- I do a 100 ping from LinuxA to LinuxB, the average RTT is 1.4ms. The Linux machines and PAN are connected to the same L2 Cisco 3750 switch. My background prior to PAN is Cisco so I am very familiar with Cisco products.
- I took out the PAN firewall and put in either a Cisco ASA or IOS router, using the same cable and switchport that I use on the PAN firewall. When I do 100 ping from LinuxA to LinuxB, the average RTT is 0.9ms, almost a 50% improvement in latency.
I go back and check the latency in my production environment regarding ping (we use open source smokeping tool to monitor our network/firewall devices) before the cutover from Checkpoint to PAN and I also notice the same thing.
I want to upgrade the PAN 5050 to 8.1.17 and test again; unfortunately, we ran out of support on the device so I could no longer download 8.1.17 for the 5050 but I don't think it would have made any differences.
Does your ping rule has security profiles attached to it?
Other thing i can say is for application ping do a test without any security profile to see if it make any difference.
Also try ping from PA CLI by using source IP and see any difference.
Did you ever get an answer for this? We have a similar issue, I swapped out SW FW for Palo and the pings went from >1ms to 2/3 ms even the odd 16ms.
All traffic is one the LAN same intrazone and has no profiles associated. We are seeing people having issues now with applications etc
@Daniel_Garry: The response I received back from PAN support, after wasting so many hours with them, was that "it is expected". To me, that is NOT an acceptable response, at the same time, I didn't want to waste anymore of my time to fight PAN support any further. The support from TAC was not good in this situation.
Hopefully you are running a newer version of PANOS as t8.x is very old. Please check the following for newer version recommendations:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!