Content 596 Update - Seeking more details on customer reported problems

cancel
Showing results for 
Search instead for 
Did you mean: 

Content 596 Update - Seeking more details on customer reported problems

L1 Bithead

Can anyone provide details on some of the problems that were experienced after applying content update 596?

We spent all night troubleshooting a problem where our PA3020 was impacting TCP\9100 traffic. The problem started soon after the update. We would see the TCP handshake between a print server and printer occur, some data would be sent, then we would see TCP retransmissions, long delays in responding to ACK's and a TCP reset from the printer.

It stopped when we bypassed the PA.

 

I am curious if this could be related to the recalled content update.

 

5 REPLIES 5

L1 Bithead

strongly agree with btrotter: give us some explanation, plz. 🙂

yesterday we had nearly 100% cpu load on useridd process on one cluster's member and 197% 😮 on second member. i restarted useridd daemon and evertyhing gone to the normal state.

probably it is not connected but it would be nice to know what is wrong with 596.

 

regards 🙂

Cyber Elite
Cyber Elite

It would be nice if they provided a little insight to what was actually happening with 596 as our 3020 was all ready to install it before the update was pulled; thankfully it only installs on Wednesdays at 1am or if I really want to force it because of a false positive. 

This update with the SMB fix was soemthing I was really looking forward to as well, since that broke some things for us earlier and I've had to just exlude the vulnerabilty ID for a specific user group. 

Cyber Elite
Cyber Elite

"This issue was caused by a PAN-OS bug in 7.1.x, that was triggered by the introduction of an IPS signature in this content update. The bug impacts traffic processing and application identification on firewalls running PAN-OS 7.1.x"

 

This was the information that I was able to find. It seems like in the past month I've ran into more problems with threat signatures then what I thought was possible. It would be nice if Palo just set these to alert instead of reset-both if they were unsure if they were actually going to work. I would rather have something that was only alerting me to an issue instead of something was was breaking connections. 

Cyber Elite
Cyber Elite

Hello,

I know its a bit late, but I have my PAN's set to dynamically update daily with a threshold. This way I might be only a day behind, but protects against these types of releasese.

 

Regards,

 

L1 Bithead
While working with a PA engineer today, we got the following response. I am not sure this is an official response or an engineer giving his thoughts on it.

"App update 596 was causing issues with Layer 7 processing, application decoding, and the application engine.  Any problems at Layer 7 (application layer) could cause alterations to the application data being passed, such as the truncated packets we were seeing.  The bug could impact any application. "

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!