After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on dns-base application.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on dns-base application.

L2 Linker

After Upgrading our PA-820 to 11.0.2, we're seeing lots of data on "dns-base" application.  In a 24-hour period, I'm seeing 5PBs+ of data coming through, which is way over our limits for our internal network (two DNS servers at 1GB NIC each) and external network.  Our ISP bandwidth is 500/500 Mbps.  So it's going way over our MAX capacity.  However, if you look at the Management Plane and the Data Plane, they are both under 25%.  I'm thinking it's just not showing the numbers properly.  The DNS Servers that supposedly are communicating with external DNS Servers (8.8.8.8, 1.1.1.1, OpenDNS, etc.) are not showing tons of traffic.

 

39 REPLIES 39

L4 Transporter

If you opened a ticket with TAC can I ask that you escalate it with your account manager and sales engineer as this should be hotfixed  in my opinion and my Palo Alto support team concur.  This is causing havoc with our traffic anomaly security tools and while 10.2.6 will tentatively be released the the week of 9/25, 11.0.4 is at minimum 60 days out and we are forced to run this on our PAN-1410 appliances.

L2 Linker

Hi,

I just submitted the case to see if it can be escalated to a HotFix.  The engineering tech I'm working with said he'll get back with me for an update.

L2 Linker

Hi everyone,

 

Looks like the push must have worked.  We are now seeing the update sooner.  See below:

+++++ SNIP +++++

A new comment was created on your recent case ( 02618638 ). To view the details of this case, provide input or add attachments, please click here.

 

Comment: Hi Raul,Greetings!I hope you are doing good.Thank you for your patience. The fix has been now implemented in below next releases below.10.2.6====> 9/28/2311.0.3====> 10/19/23Meanwhile, If you have any queries feel free to reach out to me, I will be glad to assist you.Have a nice day!

++++ END SNIP +++++++


 

L2 Linker

I'm seeing this as well on versions 10.2.4-h3, anyone else on this version that can verify? I saw a pattern and it seems to be every Monday around 6am PST to 10am PST

I couldn't pinpoint a pattern.  What I did find out is it began when our internal users began to use the network/Internet.  The good thing is that a fix is on its way.

 

Do you know if it brought down traffic or seems to be more of a cosmetic issue? Since obviously the packet size is exaggerated? How we came about this issue is that every Monday, our traffic is brought down to its knees for a few hours, not sure if this is related or not, but we experienced this issue after upgrading to 10.2.4-h3

L2 Linker

Albert,

I cleared out all the stats from the switches and monitored the traffic from the IP's the firewall supposedly was coming from, but I was getting a lot more from my backup and surveillance.  I monitored from the switch level and the firewall level.  And again, the traffic displayed by the dns-base was wrong.

Let me know if your Team will update to 10.2.6

L2 Linker

We will not be using the 10.2.6.  We will be waiting for version 11.0.3.  However, I did see the following on the 10.2.6 Release Notes:

PAN-227639
Fixed an issue where the 
ACC
 displayed an incorrect DNS-base application traffic byte count.

 

Regards,

 

Raul Trujillo

L4 Transporter

We will be upgraded a single PAN-450 HA cluster to 10.2.6 tonight for initial testing.  I will plan to report back tomorrow with results.

in our case 10.2.6 does fix it, but it fixes it so good that no network activity is displayed at all, no ACC data on any of the tabs.

I've just let PA support know, I'd hold off upgrading unless you don't need that data.

L2 Linker

Here too. PA-440 on 10.2.6 displays now  "no data" in ACC. This is a great fix guys at Palo, really a great one, congratulations.

L2 Linker

Yup.  Palo engineers tried to fix the previous issue and created a new issue.  Now, no data shows up in ACC.  Here is the new case #
 02743265.  It won't be fixed until the next update.  There's no date on the release yet.

 

L2 Linker

On my PA-440 version 10.2.7-h3 did fix the ACC problem. Happy holiday...

L0 Member

Version 11.1.1 

PAN-234929
Fixed an issue where tabs in the
ACC
such as
Network Activity
Threat Activity
and
Blocked Activity
did not display data when you applied a
Time
filter of
Last 15 Minutes
,
Last Hour
,
Last 6 Hours
, or
Last 12 Hours
, and the data that was displayed with the
Last 24 Hours
filter was not accurate. Reports that were run against summary logs also did not display accurate results.

 

I tested now with version 11.1.1 on two Firewalls. ACC with 12H is fine and works. 6h,1h or 15min shows "No data to display" and sometimes (in 10% of cases) it works. I think the bug its not fixed in 11.1.1. 

  • 18157 Views
  • 39 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!