Slowness Issues After applying Zone Protection to Inside Security Zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Slowness Issues After applying Zone Protection to Inside Security Zone

L1 Bithead

I recently discovered that my configured Zone Protection Profile applied to my Inside Security Zone was the root cause of my very slow https download speeds. I came to this conclusion after I had noticed that with the Zone Protection profile applied to the INSIDE security zone, it would take a 3.5 gbps file 6 hours to download; however, after removing the zone protection profile from the inside security zone, It would only take 6 mins tops to download. I am a bit confused as to why this is even happening.... Has anyone had any related experiences to this or may have some knowledge as to why I am seeing this behavior when utilizing the Zone Protection Profile?

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

Interesting behavior. I have not seen this myself, however I do have zone protection enabled on the inside. I have an internal and external policy, yes two. Curious on the model and code its running, perhaps there is a bug or the device is overloaded?

Regards,

The Firewall is barely in use, maybe ten users at max are utilizing the Firewall. The firewall data plane if currently 1% utilized as well. The model is a PA-3220 running 10.2.0, I thought about upgrading to a more preferred code if I can not figure out whats going on to see if that fixes anything.

Cyber Elite
Cyber Elite

Hello,

What I sometimes do it read the release notes of newer releases and check the 'fixes'. However the issue just might be something else and a code upgrade helps. I never recommend running the base code such as x.y.0, there are bugs that have yet to be found. I go along with the preferred releases:

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

I would recommend upgrading and see if that helps.

Regards,

L6 Presenter

Also just in case check your zone protection logs as if it drops packets but TCP then retransmits the packet and the connection just does not go down but seems slow https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC . Do  a pcap from an affected user and see if there are a lot of TCP retransmits. You can also check the global counters https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

  • 1678 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!