09-04-2025 07:14 PM
Good evening,
Working with one of the top Microsoft engineers today who performed numerous wireshark traces regarding huge concerns that Palo Alto Firewall 5250 firewall was dropping packets. Identified exact time and sequence as well as size of packets and sequence being lost in transit. Noticed over tens of thousands of these re-transmits issues occurring with certain sequence packets being lost.
Microsoft seen this problem and recommended enabling DSRI Disable Server Respponse Inspection). Once implemented, performance was fantastic. File uploads and downloads changed from 2.5 minutes down to 13 - 15 seconds. However, after about 4-5 hours, the issue came back.
Was doing research on SMB file transfers and saw that older Windows Server OS often stems fro firewall's security inspections interering with outdated SMB versions or unexpected traffic patterns.
Decided to also include an exception rule whereby we added all different versions of ms-ds-smb but still the issue continues. Totally open to any additional changes that could alleviate the SMB issue. Entire agency uses Azure commercial to upload files via VDI on-premise to NetApp virtual servers via Expressroute in the cloud and can't migrate because latency is killing performance.
Any advice and or recommendations would be enormously appreciated!!!!
Thanks in advance.
09-05-2025 01:22 AM
in this case i would create an app overrid for all the SMB traffic
create a custom app (don't use normal app-ids in override rules unles you know why)
create an app override rule for tcp 445 (and possibly 139) with appropriate source/destination subnets/ips
update your security rules with the custom app
verify in the traffic log that all your SMB traffic is now identified as the custom app
check if that helped
09-05-2025 12:47 PM
Essentially what you were doing with enabling DSRI on the rule in question that allowed this traffic is making it so your firewall wasn't performing analysis of a lot of the traffic, but you were still looking at all of the client->server traffic from a security perspective. Sometimes this can be preferred for traffic that may be sensitive to latency and have larger performance impact from inspection (like SMB and SQL traffic).
What the application-override will do is prevent layer 7 application and security processing. You'll find that SMB transfers are one of the most common reasons to see application-override entries in someone's configuration. The performance issues that you are running into should immediately clear up when you override this traffic to a custom app-id.
Just keep in mind that your firewall is out of the equation for any sort of threat inspection with this change in place. Assuming you have various layers of security around potentially malicious files, this should be a non-concern but is something to certainly keep in mind.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
