I've noticed that downloads that occur over decrypted TLS sessions are incredibly slow since upgrading my PA-3050s to PAN-OS 6.1.x (now on version 6.1.12). Sometimes they don't even complete at all, either failing or just sitting forever. For example, I once tried to download a 70 MB file and it was sitting at about 18% complete seven hours later. When I excluded my user account from TLS decryption, the file downloaded in less than a minute.
I don't remember this being the case on older PAN-OS versions, but perhaps it is just because more and more sites are going all HTTPS.
I contacted PAN support and they noticed that the PA-3050 buffers weren't filling up and our overall dataplane utilization is low but that there were a bunch of TCP resets being sent. The support case is still open, but I'm wondering if anyone else has noticed this issue as well.
I haven't paid too close attention, but we are blocking most downloads anyhow. I am still on 7.0.x so might be different than 6.1.x
Next time I have a chance, I will try to compare.
We're actually doing TLS decryption as a pilot in IT only at this time, so most of the individuals whose traffic is decrypted do actually need to download files.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!