PA 850

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA 850

L1 Bithead

hello 

we have deployed a HA 850 series cluster

 

we have users complaining about problems with:

voice quality on MS Teams 

screen freezes 

video & audio out of sync

Q is there a configuration I should  use to optimise the MS Teams network performance ?

Q are there any logs /packet captures I should run to try and identify the issue ?

 

thanks 

 

 

 

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

I would recommend disabling URL filtering on the security policy that is inspecting the traffic. Other than that, its a matter of looking at the traffic packets and interface and bandwidth utilization. Another thing to possible try is checking the box for

OtakarKlier_0-1705081154882.png

in the security policy. Perhaps also looking into QoS, but if its cloud based, that might not make a difference since the internet doesnt respect or adhere to QoS in packets.

 

Regards,

Cyber Elite
Cyber Elite

"Disable Server Response Inspection" eliminates threat prevention against traffic sent from server to client.

Quite a risky option to set in general but specially if clients are inside and servers in internet.

 

Are you monitoring bandwidth utilization to be sure you are not hitting limit set by ISP?

Use QoS to prioritize MS Teams traffic.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

@paloaltousername,

Just going to echo what @Raido_Rattameister stated about the "Disable Server Response Inspection" risks. This isn't a feature to be utilized lightly and I won't want to enable it on something as broad as Teams traffic. It's something that I'll utilize in some scenarios internal to the network where you absolutely need it, but you'd really want to understand the risks associated with it before doing so. 

There's some examples where disabling it can be an acceptable solution where speed is prioritized over the inspection of the server to client flow. One that you'll see utilized often is in instances of file servers and SMB traffic, as you'll still be inspecting the client to server flow for someone uploading a new file, but you wouldn't be inspecting a client downloading a file from the server. In some situations that's preferred from a performance standpoint if you have mitigating factors on the file servers to ensure that they aren't feeding anything malicious to your clients.

 

When you have a large enough ISP connection and a big enough box you shouldn't need to do anything for Teams to work properly. The biggest thing Microsoft will tell you before you implement Teams for telephony is to ensure that you have a large enough connection to support the traffic and to implement QoS, with QoS and properly prioritized voice traffic being one of the biggest things that will cause connection issues.

One thing that you don't mention in your post @paloaltousername is where you're running into this issue. If it's on-prem traffic I'd absolutely be looking at QoS and insuring you have a large enough ISP connection to actually support the transition. However if it's people operating across GlobalProtect then you need to think about the possibility of splitting that traffic and allowing the Microsoft "Optimize Required" entries to exit locally instead of tunneling back to your firewall. 

thank you for all your help 

I have asked the ISP to report back on any QoS or shaping on their on-prem WAN router 

the users reporting the issue  are located on the LAN with no reported VPN users 

the WAN router is local to these users 

I am not sure if this service ever worked to an acceptable standard 

  • 1831 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!