This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Packet buffer protection - PA5220 vs PA5410

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Packet buffer protection - PA5220 vs PA5410

michelealbrigo
L3 Networker

‎06-21-2023 04:58 AM

I've recently upgraded my firewall from a PA-5220 pair to a PA-5410 pair. The firewalls were on the same PanOS version (10.2.4-h2) and with the same configuration. This was the original configuration for PBP at the upgrade time:Screenshot 2023-06-21 alle 13.32.49.png
The 5220 wasn't logging any PBP intervention, as you can see here (there's some sporadic intervention by zone protection profiles, but I consider it as normal):
Screenshot 2023-06-21 alle 13.14.05.jpg
When we switched to PA-5410s (same OS and config), the firewall started logging PBP protection events:
Screenshot 2023-06-21 alle 13.14.44.jpg
I do not expect this to be due to a change of traffic nature, since there's roughly one minute between the last event logged on the 5220 and the first one on the 5410. Also, with some log analysis, the events fall in the time interval between the firewall change and when I deactivated PBP: Screenshot 2023-06-21 alle 13.47.53.png
I turned PBP to monitor, and set it to capacity-based, and the alerts went away:
Screenshot 2023-06-21 alle 13.50.20.png
Has anyone got an explanation for this? Why is there such a difference between 5220 and 5410 in latency-based PBP?

On a side note: by being focused on routing issues and other migration-related stuff, and "one-man-band" on the issue, I completely lost the meaning of the threat name from the Dashboard widget, so it took me a bit longer-than-optimal time to realize that PBP was the source of many problems experienced by my users during those days. Could this kind of intervention be referenced in the "session end reason" field of the logs, instead of "aged-out"? I only figured that out because an "aged out" session I was investingating showed a very large (and strange) difference between received and sent data:

Unknown.png

5 REPLIES 5

BPry
Cyber Elite
Cyber Elite

‎06-21-2023 06:03 AM

@michelealbrigo,

When you switched out the hardware did you clear out the existing ARP entries for the connected switch(es)/router(s)? Latency being introduced on a new hardware install I'm always going to lean that way out the bat. I'll also just note that with the PA-5410 your on a completely different platform, so you could still be running into a bug that simply wasn't present on your PA-5220. Not saying you're running into a bug, but in the event you haven't engaged TAC because you think it isn't a bug it would be a good idea to engage them. While I'm unaware of a bug matching this on the 5400 series, only employees have access to Jira to check all bug reports. 

0 Likes Likes

michelealbrigo
L3 Networker
In response to BPry

‎06-21-2023 06:13 AM

I did not clear the arp cache on the routers, but the firewall only talks with a small number of L3 switches (3 physical switches with some VRFs, make it less than 20 in total), and all of them only have the firewall on the uplink VLANs. I.e. the links are an improper "point-to-point", all /24s with just the switch uplink IP and the firewall downlink IP. Also, this situation went on for days before I realized that, so that should be beyond the ARP cache duration.

As for the TAC request: I'm still on an "explorative" phase, the 5410 deployment isn't complete yet, so I wouldn't be able to be consistent over the days on any check I might be required to perform. I'll definitely give PBP a go when everything is in its place, and open a proper ticket if I can consistently replicate the problem at will.

0 Likes Likes

ocardiel
L1 Bithead
In response to michelealbrigo

‎12-13-2023 09:00 AM

Hi Michele,

 

I have just the same issue... were you able to solve or find an explanation for this issue?

 

thank you in advance for your help.

0 Likes Likes

michelealbrigo
L3 Networker
In response to ocardiel

‎12-14-2023 02:51 AM

No, sorry: no solution, neither explanation. In the meantime, I've moved up some releases (10.2.6 currently), but never come back to check if latency-based PBP is back working as intended. A call with the TAC only provided some suggestions on tweaking the latency activation values, but PBP was still acting wrong, so I basically gave up on that.

Our PBP is configured as capacity-based, at the moment (50% alert, 80% activate), apparently without issues: 5410s are kinda oversized for our deployment, when running under normal load, and that's also what made those latency-based PBP triggers strange.Screenshot 2023-12-14 alle 11.49.56.png

ocardiel
L1 Bithead
In response to michelealbrigo

‎12-14-2023 04:10 AM

Thank you very much for your answer, Michele. I appreciate it a lot!

0 Likes Likes
  • 1744 Views
  • 5 replies
  • 1 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks