About Abdul_Razaq

Hi Community, I am seeing the below behaviour in my PA-850 running on 9.1.4. Security policy is allowed for traffic. Scenario-1, without zone protection in internet zone - Everything works fin   Scenario -2, Having zone protection with pretty much all options enabled for 'IP Drop' and TCP drop' and other options as well. Applied it on internet zone. Everything works fine like browsing, streaming etc.. but once I start downloading a big file, after downloading some part, the session will move from Active to discard and the download will simply hung. There is no application shift(connection is over ssl and policy allows every app). when checked for global counters, I can see the following counter increasing, packets dropped because of failure in tcp reassembly packets dropped due to the limitation on tcp out-of-order queue size Even though the drops are there, not sure why the session should move to discard state. After the session hungs, I can see the counter "packet buffer pointer inconsistent" as well. Once I remove zone-protection, everything works fine ( i have tested iso download from releases.ubuntu.com). What are the reasons the session moves from active to discard? I can't see any threat logs. buffer protection is not enabled in global.   ----counter----- show counter global filter packet-filter yes delta yes Global counters: Elapsed time since last sampling: 3.72 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_outstanding 4026 1310 info packet pktproc Outstanding packet to be transmitted pkt_alloc 5 1 info packet resource Packets allocated pkt_inconsist 2101 683 info packet pktproc Packet buffer pointer inconsistent session_freed 28 9 info session resource Sessions freed flow_fwd_drop_noxmit 120 39 info flow forward Packet dropped at forwarding: noxmit flow_qos_pkt_enque 2094 681 info flow qos Packet enqueued to QoS module flow_dos_ag_buckets_upd 1 0 info flow dos Updated aggregate buckets for aging flow_pppoe_encap_pkts 3868 1259 info flow pktproc Total packets encapsulated with PPPoE header flow_host_pkt_xmt 5 1 info flow mgmt Packets transmitted to control plane appid_unknown_fini_empty 11 3 info appid pktproc The number of unknown applications because of no data nat_dynamic_port_release 5 1 info nat resource The total number of dynamic_ip_port NAT release called dfa_sw 2132 694 info dfa pktproc The total number of dfa match using software tcp_drop_packet 7 2 warn tcp pktproc packets dropped because of failure in tcp reassembly tcp_pkt_queued 4294967233 1398101312 info tcp resource The number of out of order packets queued in tcp tcp_case_2 24 7 info tcp pktproc tcp reassembly case 2 tcp_exceed_flow_seg_limit 7 2 warn tcp resource packets dropped due to the limitation on tcp out-of-order queue size aho_sw_offload 2015 655 info aho pktproc The total number of software aho offload ctd_pscan_sw 2132 694 info ctd pktproc The total usage of software for pscan ctd_pkt_slowpath 2132 694 info ctd pktproc Packets processed by slowpath log_traffic_cnt 28 9 info log system Number of traffic logs --------------------------------------------------------------------------------   Thanks in advance. ... View more

Hi Team,   I am trying to create a Dynamic user group using Log settings for HIP logs by the following procedure, 1- created one Tag 2- Configured log settings for HIP log for build in action tagging the source user with the tag created before 3- created a dynamic group with the above tag as match criteria. The dynamic users are not getting registered even though HIP logs are there. It is working fine for User-id logs (instead of HIP logs). i have tested in PanOS 9.1 as well as 10.0. Both versions are showing same behaviur. Have anybody faced the same ?.   Thanks in advance ... View more