About SDorsey

SDorsey · ‎01-25-2015

Has anyone encountered any throughput issues with 6.1.1? I have NOT had any issues until Friday. Installed a PAN200 in vwire mode for a client eval / AVR. Their throughput to the internet was 44mbps before PAN. Through the PAN, it as cut down to 8mbps. Removed PAN and it went back up to 44mbps. With other PAN200s on 6.1.1, I am getting 50+ on them. In this specific scenario, it is sitting between a Barracuda WCF 410 and an ASA5510. I have placed one before between these two specific devices without issue. The MTU between all devices is the standard 1500. Thoughts?

SDorsey · ‎12-24-2014

Not me. On 6.1.1 at most of my clients and still have the issue in all browsers.

SDorsey · ‎12-02-2014

This can still cause interference as port scans are blocked by the Zone Protection profile which is configured at the zone level and not via an ACL rule.

SDorsey · ‎11-13-2014

I have not personally heard any negative feedback.

SDorsey · ‎11-10-2014

Thank you much sir!

SDorsey · ‎11-10-2014

We are a VAR so cannot speak from a personal-use side but a lot of our clients have Solutionary and have nothing but positive to say thus far.

SDorsey · ‎11-10-2014

Greetings all! I have updated several PAN firewalls to 6.1. Today, I noticed this entry on page 5 of the guide: Related Log Detail View Enhancements To make it easier to correlate log information from a session, you can now click through the related logs in the Detailed Log View without closing the window and switching views. You can switch between the URL Filtering, Threat, Traffic, and Data Filtering logs associated with a session and the Detailed Log View window will dynamically update to display pertinent information for the selected log I am not readily seeing how to do this on a 6.1 system. Can someone point me in the right direction?

SDorsey · ‎10-13-2014

Because H3 added new anti-packet-evasion techniques. NSS labs discovered they could use certain fragmentation attacks to completely bypass the PAN IPS. So H3 was released which introduces protections against these which require symmetric traffic for the PAN to be able to reassemble the fragments.

SDorsey · ‎10-13-2014

The web server was placed in a DMZ but the web server was dual homed.. i.e. the web server had two physical interfaces. One was connected to the DMZ vlan and the other was connected to the internal network vlan. So when internal workstations made a request to the web server in the DMZ, the initial request would go through the firewall to the web server.. but when the web server responded to that request, it would respond directly to the internal network since it had an interface physically connected to the internal network. So the firewall would only see traffic from the client to the server. It would not see the server to client response.

SDorsey · ‎10-13-2014

All correct. Basically with the new anti-packet-evasion protections in 605-h3, it cannot properly reassemble the fragmented packets if the traffic is asymmetric since it only sees half the traffic.

SDorsey · ‎10-13-2014

I believe Steven is correct. Also, welcome to PANOS. I used to have to manage a couple SSGs back in the day. I found it to be painful.

SDorsey · ‎10-12-2014

Agreed. I have a request in with the sysadmins to see if we can do away with the dual-homed connection altogether since this is really a design anyway.

SDorsey · ‎10-11-2014

csharma Thank you! That fixed it. Apparently the server admins thought it would be okay to dual-home the web server to the internal network.

SDorsey · ‎10-10-2014

Has anyone discovered any issues with H3? I have an odd issue and am not sure if it has to do with the layer 4 changes in the hotfix to address the evasion issues. I have upgraded 3 client sites. No issues at 2 of the sites. On the third side, I have an issue. This client has a public web site in a DMZ. The ACL allows it to be directly accessed by the internal network. After the update to H3, you can access the website just fine from across the internet. You cannot access it from the internal network. You can ping the web server just fine. The Traffic log shows Incomplete for the port 80 traffic. Downgrading back to 6.0.5 allows internal users to hit the website in the DMZ just fine.

SDorsey · ‎09-15-2014

Also, if you find legit sites which are flagged as unknown. I would certainly recommend submitting a change request so they can classify it correctly as this helps everyone else in the PAN community.

Member Since	‎04-18-2012 08:18 AM
Date Last Visited	‎10-27-2020 06:38 PM
Posts	150
Total Likes Received	23

Online Status	Offline
Date Last Visited	‎10-27-2020 06:38 PM

About SDorsey

Re: Unable to login to Minemeld WebUI

Re: Invalid Role - RADIUS

Invalid Role - RADIUS

Re: Wildfire cannot test some Word docs - unsupported file type

Re: Wildfire cannot test some Word docs - unsupported file type

Wildfire cannot test some Word docs - unsupported file type

Linux Persistent VPN

Re: Restart daemons/services

Re: Restart daemons/services

Restart daemons/services

IPSEC Tunnel to ASA - PeerID issues

Re: IPSEC Tunnel to ASA - PeerID issues

Re: Block internet access using Opera Mini

Re: Possible Issues with 6.0.5-h3

Re: 6.0.5 h3 explanation

Re: Who's using an MSSP for security monitoring?

Re: PANOS 6.1 Related Log Detail View Enhancements

Re: 6.0.5 h3 explanation

Re: Possible Issues with 6.0.5-h3

Re: 6.0.5 h3 explanation

Nominated Discussion: Creating an IPSEC Tunnel to ASA

6.1.1 performance issues?

Re: Mgmt webgui kicks me out since panos 6.0

Re: Except Specific IPs from port scan detection / Zone Protection

Re: Who's using an MSSP for security monitoring?

Re: PANOS 6.1 Related Log Detail View Enhancements

Re: Who's using an MSSP for security monitoring?

PANOS 6.1 Related Log Detail View Enhancements

Re: 6.0.5 h3 explanation

Re: 6.0.5 h3 explanation

Re: 6.0.5 h3 explanation

Re: New to Palo Alto from Juniper SSG

Re: Possible Issues with 6.0.5-h3

Re: Possible Issues with 6.0.5-h3

Possible Issues with 6.0.5-h3

Re: Blocking credentials from being submitted to a malicious site

Unlock your full community experience!

About SDorsey