After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on "dns-base" application. In a 24-hour period, I'm seeing 5PBs+ of data coming through, which is way over our limits for our internal network (two DNS servers at 1GB NIC each) and external network. Our ISP bandwidth is 500/500 Mbps. So it's going way over our MAX capacity. However, if you look at the Management Plane and the Data Plane, they are both under 25%. I'm thinking it's just not showing the numbers properly. The DNS Servers that supposedly are communicating with external DNS Servers (220.127.116.11, 18.104.22.168, OpenDNS, etc.) are not showing tons of traffic.
If you opened a ticket with TAC can I ask that you escalate it with your account manager and sales engineer as this should be hotfixed in my opinion and my Palo Alto support team concur. This is causing havoc with our traffic anomaly security tools and while 10.2.6 will tentatively be released the the week of 9/25, 11.0.4 is at minimum 60 days out and we are forced to run this on our PAN-1410 appliances.
Looks like the push must have worked. We are now seeing the update sooner. See below:
+++++ SNIP +++++
A new comment was created on your recent case ( 02618638 ). To view the details of this case, provide input or add attachments, please click here.
Comment: Hi Raul,
I hope you are doing good.
Thank you for your patience. The fix has been now implemented in below next releases below.
Meanwhile, If you have any queries feel free to reach out to me, I will be glad to assist you.
Have a nice day!
++++ END SNIP +++++++
Do you know if it brought down traffic or seems to be more of a cosmetic issue? Since obviously the packet size is exaggerated? How we came about this issue is that every Monday, our traffic is brought down to its knees for a few hours, not sure if this is related or not, but we experienced this issue after upgrading to 10.2.4-h3
I cleared out all the stats from the switches and monitored the traffic from the IP's the firewall supposedly was coming from, but I was getting a lot more from my backup and surveillance. I monitored from the switch level and the firewall level. And again, the traffic displayed by the dns-base was wrong.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!