10-02-2018 02:14 AM
Hi all,
We migrated 2 weeks ago from a PA-3020 to a PA-3250.
We upgrated the PA-3020 from PanOS 7.1.19 to 8.1.3 and then we exported the configuration and then imported it into the PA-3250 (that was already in PANOS 8.1.3)
Since this migration we faced to different issues we never encountered using the PA-3020.
The most important of them is that a significative part of http, ftp, smtp (and maybe other traffic) is often recognized as "unkonwn-tcp"
The result is that all security policies based on applications are not working as expected. 20 percent of the sessions (yes 20% !) are not well recognized and are dropped because they didn't match to a security rule.
To avoid a blackout of our production, we had to insert more permissives and "old fashion" rules based on adresses and port to allow this traffic.
A case is alsoe currently open to the support, but it does not seems to really progress...
Does anyone using PanOS 8.1.3 on PA-3250 hardware ?
And if yes, did you faced to similar issues ?
Here is a graph of one day unknown-tcp sessions :
Regards,
