Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-28-2019 02:07 AM - edited 02-28-2019 06:54 AM
Dear experts,
I am moving from PA3050 to PA3220. I did export the current configurations from the old PA3050 and imported to the new PA3220, i committed successfully, but when i migrate cables from old device to the new one i get random issue! like some zones are not reachable, like i have ping to internet and telnet and traceroute but i can't browse!, like i can't ping some destinations. WEIRD! its the SAME configuration and OS versions are the same on both devices plus, i did download and install latest content version on both devices before moving the exporting the config file.xml.
NOTE: when i move to old PA3050 all work properly!
One more thing, we have A10 (SSL Interception) connected to PA from external side and StormShield (AS core firewall).
REALLY WOULD APPRECIATE YOUR HELP.
02-28-2019 08:29 AM
Maybe asymmetric routing? Traffic like ping doesn't need a 3-way handshake to work through the PA but internet browsing would. Maybe the syn-ack isn't going through the PA?
Did anything else change when you moved to the new firewall?
Is there anything in the logs showing this traffic dropping?
02-28-2019 08:38 AM
NO, i checked through all dvices, no single drop in any.. plus i cleared ARP in PA and in neighbor devices and still not working, i noticed that i can't ping from PA interface to the other end which is a switch. i have no idea why would this happen...
02-28-2019 08:47 AM
What do the ARP entries on the PA and switch show for each other? Are they correct?
02-28-2019 08:50 AM
Its showing the correct ARP, PA MAC address matching the correct IP. On the other hand, why would be an asymetric routing if nothing changed in the network except changing the device.? that's the point here.. whenever i switch cable to the old device all work properly.
02-28-2019 08:59 AM
Is there asymmetry in your network? There is a setting on the PA to bypass the dropping of traffic where the full handshake isn't seen. Was that set on the old firewall?
If you do 'show session info' ,there's a section for Session Setup that will tell you the current value of this setting. Default is True, meaning it will drop the traffic. If it's set to False, then the full handshake isn't needed to permit traffic.
02-28-2019 09:09 AM
You mean its a setting in the Zone protection? I created a zone protection.. -->Packet based attack protection-->"reject non SYN TCP" i put it to "NO" and the Asymmetric Path to "Bypass"
Is that correct?
02-28-2019 09:19 AM
No, it's a command line entry. At the CLI, you enter 'show session info'. Then look for the section called 'Session setup'.
02-28-2019 09:25 AM
Ah i didn't, but i will check this and get back to you. One more thing, would this affect the other zones as well ? i mean would this affect the DMZ zone ? or only this would affect internet connectivity.?
02-28-2019 09:26 AM
Ah i didn't, but i will check this and get back to you. One more thing, would this affect the other zones as well ? i mean would this affect the DMZ zone ? or only this would affect internet connectivity.?
02-28-2019 09:33 AM
Ah okay, but this global setting shouldn't be included in the config file that i exported from the old PA3050 ?
02-28-2019 09:54 AM
02-28-2019 10:08 AM
So the configuration on your 3050 and your PA-3220 is going to be different in a few ways. Things I would verify:
1) On the PA-3220 are you using interfaces 17 through 20, and if so have you actually verified the interface is set to the proper speed if you are using SFP instead of SFP+?
2) Importing a configuration like that can cause some issues if things don't 100% import properly. I would pull the PA-3050 and the PA-3220 configurations and verify that they are actually similar by running a compare.
3) What do you see on the logs when you are attempting to browse? Resets or age-out responses?
02-28-2019 10:09 AM
Okay, Thank you very much for your responses. I will check and update you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
