- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-09-2016 08:50 PM
Hi All,
I'm new to Palo Alto and have been having issues with content loading on my network. Across the network, webpages that are being loaded in browser will periodically hang and as soon as the user refreshes them they load right away. Also video streaming and image viewing applications appear to behave the same way in that a user will try to load content, can't, will restart the application and then the content will load up fine from the internet. I'm using the VM-100 and have alocated plenty of RAM and CPU for the VM. Have looked at security policies but they appear to be fine. Any suggestions on where to look next would be much appreciated.
Thanks!
05-11-2016 08:27 AM
Hi All,
I've discovered that having the services in my Security Policies set to "application-default," is what causes the issue. Defining this myself fixes the issue.
05-10-2016 06:52 AM
Hi...A couple of things that you can check:
- Ethernet port speed/duplex mismatch
- If you are using URL filtering, FQDN objects, maek sure the DNS server(s) are configured and reachable by the PA.
- Make sure the mgmt port of the PA can get out to the Internet for content updates
Thanks,
05-10-2016 07:26 AM
None of those appear to be an issue. Maybe MTU setting?
05-10-2016 08:30 AM
You can take a packet capture to see if there are many fragmented packets which would point to MTU.
Do you have proxy that would affect the cachin of web contents?
Are you seeing similar symptom for other traffic like FTP, SSL, etc?
05-10-2016 08:31 AM
Just a DNS proxy. It's most obvious when streaming video or loading images.
05-10-2016 09:10 AM
Just to test if any of your policies may cause this, can you allow a test user full access (src=ip-test-user any any action=allow) with no blocking on any URL categories, etc.
05-10-2016 10:57 AM - edited 05-10-2016 10:58 AM
Just tested it out and there seems to be minimal change. live.paloaltonetworks.com actually is one of the sites that takes forever to load.
05-10-2016 11:24 AM
I suggest the next step may be to contact Support and open a case. Thanks.
05-10-2016 05:56 PM
A couple of questions:
Which hypervisor are you using?
If you're using VMware ESXi/vSphere, are you using Promiscuous mode on the port-groups where your firewall is connected or have you enabled "Use Hypervisor-assigned MAC address" in the firewall?
05-11-2016 08:27 AM
Hi All,
I've discovered that having the services in my Security Policies set to "application-default," is what causes the issue. Defining this myself fixes the issue.
05-11-2016 08:38 AM
That's odd. What application needed to use "Any?"
Did you have any deny logs of that application on any port other than the "standard?" If no logs did you have a clean-up rule that's actually logging the denies? By default palo's implict deny doesn't log.
05-11-2016 09:13 AM - edited 05-11-2016 09:19 AM
It caused big problems with Netflix and other streaming services. Maybe it took too long to look it up in the application-default list? I'm not sure. I defined the service ports manually.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!