Yes, we havre plans to upgrade, but in our production environment it takes a lot of time to plan and perform it. As for the dynamic updates - we upgraded at latest and it made no difference. @SteveCantwell wrote: I am running 10.1.0 and I have this issue (but then again... I am on very bleeding edge software as well. :P) this does not sound too promising 🙂
... View more
Thank you for the advice! Decreasing the Time Wait sounds much more reasonable. But are there any downsides? In principle, Is there a hope that Palo Alto will fix the application detection under the TCP reuse condition, or am I missing some fundamental issue rendering this fix impossible?
... View more
Hello Everyone! We have a pair of PA-5260 (Panos 9.1.4) between 2 security zones serving primarily the traffic to a file buffer. About 90% of the traffic is FTP with server side being a load balancer IP. With a small fraction of traffic we experience an issue where an absolutely standard acttive FTP data flow fails to be recognized by the PA as an FTP session and appears in the logs as an "unknown-ftp" flow. For each and every such flow there is a common attribute - session end reason is "tcp-reuse". I believe, in our scenario with limited number of source/destination IPs it is not so unexpected to run into a condition when the same ip/port 4-tuple gets reused within the short period of time. The problem is that this "unknown-tcp" application flow gets dropped by the configured ruleset, which causes transmission problems for the users, because their transfers fail once in a while. As a workaround, I have implemented the L4 rule allowing an "unknown-tcp" from port 20 to a client's IP range, which on once side fixed the problem, but on the other side - allowed this subset of flows to pass the firewall uninspected. I opened the TAC case and after the troubleshooting session the verdict was that we need to configure the application override for FTP app. And this is where I want to ask for more clarifications. TAC engineers explanation was only that it will fix all our problems and improve the performance. But I still struggle to understand how. In my understanding, app override is required when there is some non-standard app, which a user wants to define and maybe provide signatures for deeper inspection. Another use case, as I understand it, would be if a known app is running on non-standard ports, and for this scenario, there is a drop-down list input for the parent app in the App Override dialog box. Both of these use cases don't quite match our scenario. We have an absolutely standard active FTP, that uses ports 21 and 20 for control and data respectively. As I undetrstood, if we wouldn't set the FTP as "parent app" in the app override definition, it would catch all the FTP traffic by the overridden FTP app, but without any NG inspection. This would obviously would improve the performance, but disabling the NG inspection is not what we want! Or am I lacking some understanding? Can anybody explain how an app override configuration for standard FTP ports would help us? Thanks!
... View more