PAN-OS 8.1.0 SMB Issues

Reply
Highlighted
L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

Thanks for the reply.  I was hoping there was a way to avoid having to do 2 override policies.  Ugh.  Glad PA was asleep at the wheel on this one.

Highlighted
L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

Our experience (which we have shared with Palo Alto tech support) is that the SMB issue is in the Virtual Router itself separate from the policy applications. For us it would run normally for days until something would be triggered that killed routing of SMB on our internal LAN (no policies are applied, so there really is nothing to override). The simplest way we found to restore routing was to suspend the active firewall (triggering a failover to the passive firewall in our HA active/passive configuration). We could then make the first firewall functional again and everything would work normally until the next intermittent SMB failure.

 

In the absense of a hotfix, we rolled back to 8.0.8.

 

We had tried the application override trusting guidance from Palo Alto, but it has no effect on the virtual router problem.

 

Highlighted
L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

For anyone who cares:  The application override did address the issue for us.  In our case it was a straight firewalling issue over a IPSEC tunnel.  So we never had the abovementioned issues with the Virtual router.

 

I did put in a call to PA TAC, to make sure I got the App Override put in there properly (I havent done a lot of that).  When I spoke to the TAC representative about the general bugginess of 8.1.0 the response was effectively "its your own fault for installing firmware that we released to you."  Which was comforting.

 

Nothing like "Lets get the plane in the sky and try to fix it before it hits the ground"

Highlighted
L0 Member

Re: PAN-OS 8.1.0 SMB Issues

I also had this issue. I resolved the issue by first creating a custom application then creating an application overide using the custom application.

Highlighted
L2 Linker

Re: PAN-OS 8.1.0 SMB Issues

Ran into the same problem, creating an application override solved the problem.

Policies > Application Override

 

Source: Clients

Destination: File Server

Protocol/Application

TCP 139, 445

Application: ms-ds-smbv3

 

Software Version8.1.0
VM License

VM-100

Highlighted
L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

I experienced this issue as well with a pair of 3050's in HA.  It's unacceptable Palo Alto would not notify its customers of the issue. 

Highlighted
L2 Linker

Re: PAN-OS 8.1.0 SMB Issues

Based on PAN code quality trends over 7.0, 7.1, and 8.0, I have been waiting for PAN TAC to recommend an image for production use before trying it anywhere outside the lab. That has been usually around X.X.5 or X.X.6. Even then, tread with significant caution when deploying.

 

As folks have found out, using X.X.uhoh (X.X.0) releases outside a test environment is just begging for trouble. 

 

Save your sanity and remaining hair. Wait for TAC recommended images.

Highlighted
L4 Transporter

Re: PAN-OS 8.1.0 SMB Issues

8.1.1 is now available and includes the fix for this issue (among many others) Someone play with it and report back ;)

Highlighted
L1 Bithead

Re: PAN-OS 8.1.0 SMB Issues

There are 7 pages of "Addressed Issues".  Talk about a mess.

Highlighted
L0 Member

Re: PAN-OS 8.1.0 SMB Issues

PAN-94445
Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!