About Remo

Starting with PAN-OS 8.0.3 (in some cases also in PAN-OS 8.0.2 and perhaps also in combination with SSLProxy) it seems to be that there are massive problems with QoS. If you intend to upgrade again to 8.0.4 and experience the same issue, try to disable QoS. In addition it is not solved in PAN-OS 8.0.5. We have multiple cases open regarding these issues ... ... View more

@reaper Could you may be explain the word "Parallel" in the context of SP3? ... View more

Ok, these problems probably aren't related in any way. It's just bad luck.   After a few hours I decided to enable ONLY the managment port again --> complete cluster was down again ... I am going to contact support now as I did not reboot till now ... the problem is that the generating a tech support from the console also fails ... so there is definately something wrong here 😛   EDIT: up to 1000 logdb-full system logs / second ... View more

@reaper Today I also experienced this critical system log entries. The firewall is running PAN-OS 8.0.2 and the setting "Stop Traffic when LogDB Full" is NOT enabled. The log entries were flooding the system log with up to 400 logs / second. Unfortunately I was not able to resolve the issue and suddenly the firewall stopped processing connections completely. I then had to shut down ALL ports (dataplane interfaces were not enough to trigger a failover) because ssh, https and panorama context switch wasn't possible anymore ... was really fun today 😛 Any advice regarding this situation? ... View more

Hi @gustavosj   So you upgraded to 4.0.3 this week as this version wasn't released when you started this topic, but anyway have you set the same MSIEXEC setting in your portal configuration?   Btw: Does pre logon work with user certificates as they shouldn't be available for the connection prior to login? ... View more

Hi @mahmoodm   The overall flow with EVERYTHING (user-ID, decryption, NAT, ...) is a little more complex but it remains the same that it is one path the packet has to take through a paloalto firewall.   In a paloalto this is only one engine: Content-ID/SP3. May be we have to go one step back. After a pattern based application identification the firewall checks what security profiles are applied to the matching security rule and does the SP3 setup (preparation to tell the content-ID engine what to scan according to security profiles). Then the packet is processed by content-ID/SP3 and here we have the step that PA does in a single pass that other vendors do in a multi pass approach. But now, to be honest, I am not exactly sure about the word parrallel. Its either that there are more than one packed packet processed at the same time and may be also by multiple FPGAs or it is that the packet will be processed by multiple specific FPGAs (AV, IPS, URL, ...) at the same time/in parralel and every FPGA does it's specific job. In both ways the packet then will be forwarded/discarded according to the security profile action or sent pack to app-ID if the content inspection found an app change im the decision.   ... View more

What exactly i the issue? Could you explain the "issue" with some more details? ... View more

Hi Alex   If you already have this setup, it should be pretty easy to test if this now also works with decryption (I am also interessted in your results, even if I don't like these traditional proxy servers 😛  )   Edit: Removed sensless sentence   ... View more

Hi @junior_r   You can assign a dedicated virtual router to this interface. This dedicated virtual router has the default route by DHCP and static routes for your internal networks with the destination a second (your default) virtual router. All your normal traffic then needs to be processed by your default virtual router and there you could specify static routes for the IPs you want to route to the DHCP-ISP-virtual-router.   Regards, Remo ... View more

Hi @mahmoodm   To understand it better an example of a competitor may be useful. So with a such a firewall you already see this difference to paloalto in the specifications. In their specsheets you firstly see a huge number for throuput with does not mean anything, because its just the theoretical throughput without any features enabled. (The following is an example an is probably not 100% accurate with the numbers) If you then add URL filtering, the throuput gets cut by at least 3. Add application control and the throughput is again cut by 2 ore more. Next you add IPS and the theoretical throuput will again decrease and lastly if you also enable malware scanning there is only a very little fraction of the initial theoretical throughput left.   In paloalto specs you have two numbers: general throughput with app-id and threat prevention throughput.   So back to the competitor: the processor there needs to track the traffic and has to decide to what additional processors the traffic needs to be forwarded. As you probably already see from their specs this does not look like it is done in one step. It's more like this if you have enabled all features: processor-->url engine-->processor-->application-->processor-->IPS-->processor-->AV-->processor   With paloalto there are also multiple steps the traffic has to go through but it is (as SP3 states) one straightforward approach (as you can see on the image in the document from my first post) and not this back and forth in other products. It even gets worse when other products have one general processor and then the manufacturer decided to implement also NGFW features like paloalto. The trafficflow is then still the same as described above but has to go back and forth between different processes. This way the throughput decreases even more with more features enabled.   Hope this helps a little.   Regards, Remo ... View more

This document should answer your question about SP3: https://www.paloaltonetworks.com/resources/whitepapers/single-pass-parallel-processing-architecture   Regards, Remo ... View more

Ok, in this case I have to thank you for teaching me something new.   Till your post I thought the way to do this in combination with a proxy is  Client --> proxy --> palo And then use the x-forwarded-for http header to identify the user on the firewall   As described here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/identify-users-connected-through-a-proxy-server ... View more

So you have url logs or only the app http-proxy in the traffic log with the username? ... View more

The problem with on the suggested solution is that palo then only sees http-proxy traffic and nothing else - no url logs and decryption isnt'possible this way. So you have to use your second possibility. ... View more