About AnalysisMan

FYI - Here is a workaround for someone who wants to bring up the HA1 Backup before fixing it by upgrading the PAN-OS (if it's a bug - last time it was). Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup) Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit. This workaround should bring up the HA1 Backup. Hope this helps! ... View more

There are two pieces in this question. I believe that you are asking related to 2) because you manually shut down the tunnel.   1) Tunnel monitor (reducing the tunnel failover time) Reduce the Monitor profile 'Interval' and 'Threshold' on the Network -> Network Profiles -> Monitor. 2) OSPF timing (reducing the convergence time) Reduce the Hello Interval (sec) - by changing the 'Hello Interval' (default: 10 seconds) on the Network -> Virtual Routers -> OSPF.   Hope this helps,   ... View more

The log shows that it's failing while validating the signature of SAML. You may try this out: 1) Uncheck 'Validate Identity Provider Certificate,' and 'Sign SAML Message to IDP' on the Device -> Server Profiles -> SAML Identity Provider. 2) Set to 'None' in 'Certificate for Signing Requests' and 'Certificate Profile' on the Device -> Authentication Profile -> authentication profile you configured for Azure SAML.   Hope this helps,   ... View more

It's hard to pinpoint the issue without details, but the article says as below. "This incorrect flow was dropped by the firewall, which caused the end hosts to not receive the IP address because the DHCP Offer never reached the DHCP relay device."   1) I recommend you to check the network reachability. 2) Check the firewall rules. 3) You may use the following CLI commands if the packets are dropping, or do a packet capture on the firewall. > show counter global filter severity drop > show counter global filter delta yes severity drop   Hope this helps,   ... View more

There is a feature called 'Data Filtering.' It's a PAN-OS feature, so it's not really tied to the hardware model. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-data-filtering.html#id664a76a7-883b-442d-a73f-bba8e6a63366   Hops this helps,   ... View more

In your case, Packet Buffer Protection (PBP) should work, and it will protect your OSPF connections. I had many cases under high CPU spikes, and Zone Protection & DoS Protection didn't really help in my cases (probably, in your case as well.)   My engineering generates aggressive traffic sometimes, and it easily spikes up high CPU on the firewall. It's impossible to control or rate limit it because they use this protocol today, but later they may use other protocols or applications. Even if your case is a bug, you can only delay the situation by upgrading the PAN-OS. The high CPU event could be happening later by other protocols or applications. I'm happy with the PBP solution since I applied it. Because it protects the firewall and never reaches 100% CPU usage.   Here is the link for PBP. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection   ... View more

FYI -  Here is a workaround for someone who wants to bring up the HA1 Backup before upgrading the PAN-OS.   Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup) Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit.   This workaround should bring up the HA1 Backup. Hope this helps!   ... View more

Thanks for your reply! Do you have the bug/issue ID? Or is this non-public one?   ... View more

Any updates on this case? I've got the same issue on PA-3220 with PAN-OS 8.1.8. I see the symptom precisely like you that ' receive packets dropped' increased on Active firewall. I'm going to open a case with TAC.     ... View more