01-26-2023 05:54 AM
I recently discovered that my configured Zone Protection Profile applied to my Inside Security Zone was the root cause of my very slow https download speeds. I came to this conclusion after I had noticed that with the Zone Protection profile applied to the INSIDE security zone, it would take a 3.5 gbps file 6 hours to download; however, after removing the zone protection profile from the inside security zone, It would only take 6 mins tops to download. I am a bit confused as to why this is even happening.... Has anyone had any related experiences to this or may have some knowledge as to why I am seeing this behavior when utilizing the Zone Protection Profile?
01-26-2023 10:21 AM
Interesting behavior. I have not seen this myself, however I do have zone protection enabled on the inside. I have an internal and external policy, yes two. Curious on the model and code its running, perhaps there is a bug or the device is overloaded?
01-26-2023 10:46 AM - edited 01-26-2023 10:48 AM
The Firewall is barely in use, maybe ten users at max are utilizing the Firewall. The firewall data plane if currently 1% utilized as well. The model is a PA-3220 running 10.2.0, I thought about upgrading to a more preferred code if I can not figure out whats going on to see if that fixes anything.
01-26-2023 10:57 AM
What I sometimes do it read the release notes of newer releases and check the 'fixes'. However the issue just might be something else and a code upgrade helps. I never recommend running the base code such as x.y.0, there are bugs that have yet to be found. I go along with the preferred releases:
I would recommend upgrading and see if that helps.
01-31-2023 12:58 PM
Also just in case check your zone protection logs as if it drops packets but TCP then retransmits the packet and the connection just does not go down but seems slow https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC . Do a pcap from an affected user and see if there are a lot of TCP retransmits. You can also check the global counters https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!