07-12-2023 10:41 AM
After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on "dns-base" application. In a 24-hour period, I'm seeing 5PBs+ of data coming through, which is way over our limits for our internal network (two DNS servers at 1GB NIC each) and external network. Our ISP bandwidth is 500/500 Mbps. So it's going way over our MAX capacity. However, if you look at the Management Plane and the Data Plane, they are both under 25%. I'm thinking it's just not showing the numbers properly. The DNS Servers that supposedly are communicating with external DNS Servers (8.8.8.8, 1.1.1.1, OpenDNS, etc.) are not showing tons of traffic.
09-18-2023 01:26 PM - edited 09-18-2023 01:27 PM
If you opened a ticket with TAC can I ask that you escalate it with your account manager and sales engineer as this should be hotfixed in my opinion and my Palo Alto support team concur. This is causing havoc with our traffic anomaly security tools and while 10.2.6 will tentatively be released the the week of 9/25, 11.0.4 is at minimum 60 days out and we are forced to run this on our PAN-1410 appliances.
09-19-2023 08:57 AM
Hi,
I just submitted the case to see if it can be escalated to a HotFix. The engineering tech I'm working with said he'll get back with me for an update.
09-20-2023 12:41 PM
Hi everyone,
Looks like the push must have worked. We are now seeing the update sooner. See below:
+++++ SNIP +++++
A new comment was created on your recent case ( 02618638 ). To view the details of this case, provide input or add attachments, please click here.
Comment: Hi Raul,
Greetings!
I hope you are doing good.
Thank you for your patience. The fix has been now implemented in below next releases below.
10.2.6====> 9/28/23
11.0.3====> 10/19/23
Meanwhile, If you have any queries feel free to reach out to me, I will be glad to assist you.
Have a nice day!
++++ END SNIP +++++++
09-25-2023 01:19 PM
I'm seeing this as well on versions 10.2.4-h3, anyone else on this version that can verify? I saw a pattern and it seems to be every Monday around 6am PST to 10am PST
09-25-2023 01:58 PM
I couldn't pinpoint a pattern. What I did find out is it began when our internal users began to use the network/Internet. The good thing is that a fix is on its way.
09-25-2023 02:56 PM
Do you know if it brought down traffic or seems to be more of a cosmetic issue? Since obviously the packet size is exaggerated? How we came about this issue is that every Monday, our traffic is brought down to its knees for a few hours, not sure if this is related or not, but we experienced this issue after upgrading to 10.2.4-h3
09-26-2023 05:04 AM
Albert,
I cleared out all the stats from the switches and monitored the traffic from the IP's the firewall supposedly was coming from, but I was getting a lot more from my backup and surveillance. I monitored from the switch level and the firewall level. And again, the traffic displayed by the dns-base was wrong.
09-28-2023 08:50 AM
Let me know if your Team will update to 10.2.6
09-28-2023 11:16 AM
We will not be using the 10.2.6. We will be waiting for version 11.0.3. However, I did see the following on the 10.2.6 Release Notes:
|
PAN-227639
|
Fixed an issue where the
ACC
displayed an incorrect DNS-base application traffic byte count. |
Regards,
Raul Trujillo
09-28-2023 12:12 PM
We will be upgraded a single PAN-450 HA cluster to 10.2.6 tonight for initial testing. I will plan to report back tomorrow with results.
10-04-2023 07:38 AM
in our case 10.2.6 does fix it, but it fixes it so good that no network activity is displayed at all, no ACC data on any of the tabs.
I've just let PA support know, I'd hold off upgrading unless you don't need that data.
11-02-2023 06:46 AM
Yup. Palo engineers tried to fix the previous issue and created a new issue. Now, no data shows up in ACC. Here is the new case #
02743265. It won't be fixed until the next update. There's no date on the release yet.
12-27-2023 01:03 AM
Version 11.1.1
|
PAN-234929
|
Fixed an issue where tabs in the
ACC
such as
Network Activity
Threat Activity
and
Blocked Activity
did not display data when you applied a
Time
filter of
Last 15 Minutes
,
Last Hour
,
Last 6 Hours
, or
Last 12 Hours
, and the data that was displayed with the
Last 24 Hours
filter was not accurate. Reports that were run against summary logs also did not display accurate results. |
I tested now with version 11.1.1 on two Firewalls. ACC with 12H is fine and works. 6h,1h or 15min shows "No data to display" and sometimes (in 10% of cases) it works. I think the bug its not fixed in 11.1.1.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
