New guy, trying to deploy a new Palo Alto 3260 to my internet edge for extra protection - When I bring my Palo Alto 3260 inline at my internet edge, I start to experience severe packet loss almost immediately. It affects VDI View sessions and our Cisco Anyconnect solution, that live behind the Palo Alto firewall. I'm using this PA FW, temporarily, as a means to introduce DoS protection and GEO/country blocking. However, even before I could get to building and enabling those security profiles, the PA is degrading my hosted services. I built two aggregate interfaces, ae1 = outside and ae2 = inside. I added three copper connections toeach, and then applied vwire to it. I built my zones, and added the aggregate interfaces to the appropriate zone. As a pretest - I setup a small network and routed it through the connecting devices that sit on each side of the PA as a test, and that worked great after moving away from LACP on the connected devices and went with standard etherchannel. However, when I swing multiple networks through the PA (multiple VLANs) I start seeing heavy packet loss and dropping 2 out of 3 packets in ping tests. Initially, I was seeing drops in the logs from the "Intrazone" pre-built security policy, but once I changed the action on that rule to "PERMIT", I was no longer seeing drops in my logs on any security feature. I'm not confident that this was the right thing to do, but it seemed to cease the drop logs. This rule seemed to appear after applying the day1configuration file. Here is the topology: ISP -- > internet switches (VSS pair) --> PA 3260 --> Cisco ASR ---> DMZ switches --> ASA firewall --->services When I only route a single network through the PA, I can send 1k+ packets between the internet switches and ASR without any loss. Any thoughts/feedback on where I should be looking??? Thanks in advance!
... View more