Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

New PA user and currently concerned

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

New PA user and currently concerned

L4 Transporter

Hi

 

I am a new PA user, purchased a pa-850 and 2 x PA5220's

 

Adding these to my OSPF network, i have setup a policy "network protocols" that allows OSPF.

 

But for some reason in my log, I get OSPF time out session and aged out sessions and sessions that have 0 bytes.

 

So I contact support.  after 2-3 weeks, they bring it up in their lab and I am told this is normal behaviour.

 

If its normal why do they need to lab it up, it should be in the documentation yes

 

Also for a next gen FW that doesn't understand OSPF, wow...... I am really reconsidering my choice in PA...

 

So is this standard for OSPF connections.

 

To be clear I believe the OSPF connection is okay, atleast from my other routers point of view, its just the way that the PA are logging it, I believe I haven't as yet put them into any situation where they could cause a problem ...

21 REPLIES 21

L6 Presenter

Hi,

 

Aged-out is fine because OSPF doesn't use TCP, it is standalone (own) protocol. Can you please post detailed (magnifying glass) log view.

L6 Presenter

Also if you will check session browser tab, and filter based on the OSFP app, what can you see. I think it is something to do with the device own session. For instance, l am running an IPSec VPN that terminates on the PA, l also cannot clear this session as well as my counters 0 bytes:

 

esp.JPG

 

EDIT: I'm not sure, though, if this is the case with OSPF

Cyber Elite
Cyber Elite

@Alex_Samad,

I'm guessing that you worked soley with level 1 TAC, which will take a while to actually accomplish much of anything and likely weren't familiar with OSPF installations. I would recommend you only let front-line support hold a case for a day, after that tell them to hand you up a tier. Personal experiance has told me that the first person you are going to get into touch with through TAC isn't going to know much about the product. Don't get me wrong, some of those guys actually are great, but Palo Alto has had to grow that team so much that a lot of them are quickly moved into tier 2 and tier 3 roles and then get passed off to other departments; sadly this means that tier 1 has decreased in recent years in their knowledge of the product. 

 

The good news is from talking with plenty of people internal to the company they are desperatly trying to stop the tier 1 hemorage of knowledge. So they are at least trying to address the issue. 

L7 Applicator

@BPry

It is possible to force a TAC case to be moved to level 2 or 3 after one day? Do you simply need to say "please move the case to the next level" or how does this has to be done? Over your SE?

@Remo,

I wouldn't say it's as simple as saying 'please move the case to the next level' but more of an 'I think this needs to go to the next level, I think this is above your head' type of thing. I haven't had anybody say no at this point, although I have had to repeat it with a little more force to get the point across. I'm not sure what TACs actual protocol is to escalate a case. 

 

I wouldn't do this for a simple question after only a day but if it stretches out to a few days, or better yet it actually effects my users, I'm getting escalated one way or another. I'm not sure how TAC is actually graded as far as the individual is concerned, but I've connected with a few TAC techs that wanted to hold onto a case for far to long before I actually brought up escalating directly with them. 

I usually ask through the portal: Please, can we escalate this case :D.

But again it all depends on the actual issue and if you think that the conclusion was wrong or you need a bit more info, you can escalate. Most of the time, 98%, engineers are very good (EMEA TAC). 1,5 year working in the support I did escalate only twice.

@TranceforLife,

You said the magic words of EMEA though 😉 

Not sure where are you based (guess US), but US TAC didn't show me a good example of the support. 

My current experience hasn't been the best.

 

OSPF - OKay I can accept that the Firewall can't undersstand OSPF in regards to policies - that seems like a major defect to me.  Why do I pay so much for a system that ....

 

as for support - I have had a Global Protect issue, that I have asked to be escaled - 3 or 4 times and I am still stuck with the same person.  Not getting any where.

 

If this had happened during my POC, I would have looked else where.

 

I have had some good experiences.

 

But a lot of them the web ex session are people randomly clicking on things, lets try this and see what happens and then lets try this.

 

Not sure if it makes me feel better to hear others are having same issues or worse !

 

@Alex_Samad,

If your not being escalated when your asking I would ask to speak with their manager; additionally bring your SE and your account manager into the mix. In my experiance you won't get good GlobalProtect support until you get escalated. Tier 1 can get really frustrating to deal with at times, especially when they want to commit something while I already have other changes pending or want to make a major adjustment during the middle of the day. 

 

Wow. I cannot believe this is all done or can be done by Palo TAC...............

@TranceforLife,

From what I've been told from fellow PA users EMEA TAC is a completely different experiance and generally much better then what we currently see stateside. 

Wow , good and bad to hear I guess

 

 

I have tried the escaltion path again

 

Thanks

 

Alex

L4 Transporter

OSPF doesn't get logged as traffic, as it happens outside (or, maybe "below") the scope of the firewall engine.  This is all handled in the routing functions, which happen before traffic reaches the firewall engine.  However, it does get logged under System, where you can filter on "ospf", to see what it's doing.  Monitor tab --> System.  And there's CLI commands that can be run to display all kinds of OSPF info.

 

This tripped us up last week when we implemented our first OSPF setup from scratch, and nothing worked.  🙂  There's a lot of dialogs, sub-dialogs, and checkboxes that need to be filled in correctly before it all starts to work.  And multiple different places that interfaces need to be associated with the OSPF stuff.  But, the logs are there, and once you figure out where the information is stored in the Virtual Router configuration, it does start to make sense.

 

I've never used an actual routing protocol before, and I was able to get a PA-200 talking to a PA-3020 via OSPF, distributing it's IPs and subnets successfully across our internal fibre network and across our Telus MPLS links to remote PA firewalls.  🙂

 

One thing I've noticed with PA firewalls is that "the normal way" of thinking about firewalls and routing doesn't really apply.  But once you wrap your head around "the PA way" of thinking, it all starts to make a lot of sense.  We came from a FreeBSD firewall / router setup, with some Linux firewalls mixed in (so all layer 2/3 filtering) and found the PA firewalls to be a pain to work with initially.  But, once we moved away from the strict-L3 packet filtering mindset, we figured out how to make the most of the features offered.  Now, if only they'd drop the price ... 😉 🙂

  • 6947 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!