This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Is PANOS 8.1.3 really functionnal on PA-3250 ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is PANOS 8.1.3 really functionnal on PA-3250 ?

Go to solution
Infra_DKI
L1 Bithead

‎10-02-2018 02:14 AM

Hi all,

 

We migrated 2 weeks ago from a PA-3020 to a PA-3250.

 

We upgrated the PA-3020 from PanOS 7.1.19 to 8.1.3 and then we exported the configuration and then imported it into the PA-3250 (that was already in PANOS 8.1.3)


Since this migration we faced to different issues we never encountered using the PA-3020.

The most important of them is that a significative part of http, ftp, smtp (and maybe other traffic) is often recognized as "unkonwn-tcp"

The result is that all security policies based on applications are not working as expected. 20 percent of the sessions (yes 20% !) are not well recognized and are dropped because they didn't match to a security rule.

 

To avoid a blackout of our production, we had to insert more permissives and "old fashion" rules based on adresses and port to allow this traffic.

 

A case is alsoe currently open to the support, but it does not seems to really progress...

 

Does anyone using PanOS 8.1.3 on PA-3250 hardware ?

And if yes, did you faced to similar issues ?

 

Here is a graph of one day unknown-tcp sessions :

unknown-tcp.png 

 

Regards,

1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
LukeBullimore
L5 Sessionator

‎10-02-2018 04:44 AM

Hi @Infra_DKI


We faced these exact same issues going from PA-5000 series to PA-3260s - huge increase in unknown-tcp which was impacting business. For us, the fix was actually to reboot the firewalls and the problem hasn't occurred since we rebooted (1 or so weeks ago)

 

We also faced an internal path monitoring failure twice which caused dataplane restarts. TAC stated this was fixed in PAN-OS 8.1.4 with Bug-ID PAN-101182

 

Cheers,

Luke.

View solution in original post

4 REPLIES 4

Go to solution
LukeBullimore
L5 Sessionator

‎10-02-2018 04:44 AM

Hi @Infra_DKI


We faced these exact same issues going from PA-5000 series to PA-3260s - huge increase in unknown-tcp which was impacting business. For us, the fix was actually to reboot the firewalls and the problem hasn't occurred since we rebooted (1 or so weeks ago)

 

We also faced an internal path monitoring failure twice which caused dataplane restarts. TAC stated this was fixed in PAN-OS 8.1.4 with Bug-ID PAN-101182

 

Cheers,

Luke.

Go to solution
Infra_DKI
L1 Bithead
In response to LukeBullimore

‎10-02-2018 08:53 AM

This feedback is interresting. 

We faced this issue since the migration to this firewall 2 weeks ago.

I will plan a restart to see what happens...

0 Likes Likes

Go to solution
Infra_DKI
L1 Bithead
In response to LukeBullimore

‎10-04-2018 09:02 AM

I rebooted the firewall this morning and I have no more abnormal unknown-tcp sessions after 8:30

 

Capture.JPG

 

I will check it in nexts days to see if that occurs again.

Very strange...

0 Likes Likes

Go to solution
Infra_DKI
L1 Bithead
In response to Infra_DKI

‎10-09-2018 01:38 AM

The problem seems to be gone since the reboot.

That's very strange. We have to be very carefull to be sure that it will not happen again in the future...

  • 1 accepted solution
  • 3901 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks