About ITCMPHC

So far no issues in a week. I'd say this bug is squashed finally. ... View more

Yeah I have the same experience. I upgraded one set of 3050s last night and so far things look good. I noticed they increased the FPTCP buffer from 32768 to 131072... quite the jump! I monitor this value every 5 seconds and I've yet to see the buffer go under 129000, whereas before it would hit 0 quite often (and thus cause the decryption outage). I'll continue to keep an eye on it and will report here if things go south again. ... View more

How'd it go? Any glaring issues? I'm looking to upgrade tonight ... View more

Support says this is now being "tracked" as part of 7.0.4 which is slated for a December release. ... View more

I upgraded last night and am still having the issue. I've reported it to support as well. ... View more

Same thoughts here as well.   Each week we had to add increasingly more sites to non-decrypt policies. Eventually we unchecked the "Block unsupported cipher suites" in the decryption policy in hopes of allowing these sites to still work but just not be decrypted. Unfortunately in 6.x, this setting appears to be bugged and the site still won't load. We were recommended by support to move to 7.x, where they said the issue was fixed. We moved to 7.0.2 and found that these sites wouldn't load on first attempt, but a browser refresh would then successfully load it. Not great, but better than before.   Unfortunately a month into running 7.x, we ran into a bug in which our Palos began depleting a certain buffer and would stop processing all SSL/TLS traffic for ~10 minutes. At first this issue happened once or twice a day, but now I've seen it occur as many as 15 times in one day. Early on I wrote a program to monitor for this buffer depletion and fail-over as needed, so none of our users actually experience issues with it. I don't like the fact that I'm having to invoke HA fail-overs so many times though. Failing back to 6.x isn't really an option due to the length of time to see this issue after we upgraded to 7.x and the amount of changes we made within that timeframe. Support assures me that this issue will be fixed in 7.0.3.   I've lost a lot of faith in PAN's ability to stay up with current technology and publish quality releases. Minor bugs are one thing, but when every release has bug fixes related to dataplane restarts, race conditions, memory leaks, etc... It's just getting to be too much for a critical system. You could say not to update to the latest and greatest, but these kinds of bugs have been in every version. We had them in 5.x, 6.0.x, 6.1.x, and now 7.x. Also with certain things like trusted root certs being tied to software upgrades, you really need to stay up to date.   I have a datacenter firewall upgrade project coming up, and I was really considering putting in PA-5060s or VMs for SDN. At this point I've pretty much dropped PAN from my options because I can't afford to have the same issues in the datacenter that I've had on the perimeter.    Ultimately I really hope PAN can work through the current issues and put in a better QA process. I'd imagine they're going to have to completely revamp their decryption methods however. ... View more

I've been told this will be fixed in 7.0.3 which is tentatively scheduled for Oct 19.  ... View more

Yes, we have a ticket open regarding this right now. What is happening is the FPTCP buffer is filling up and not releasing like it should. Once this happens, the SSL Proxy engine drops packets until the buffer finally clears. We don't yet know what the true cause of the buffer filling up is.   You can verify you are experiencing the same bug by SSHing into the firewall and issueing the command "debug dataplane pool statistics". There you will see the line "FPTCP segs" (###): ###/###  The 3rd number is the max amount of buffer and the 2nd number is how much is left. When the issue occurs, you will notice the 2nd number stuck at 1. Eventually it will release on its own and traffic will flow again. Alternatively if you have an HA pair, you can fail over and it will immediately resolve. edit: our ticket is 00379855 and the bug id is 84781, if you'd like to reference those with support. ... View more

I don't recommend moving to 7.x at the moment. We're on 7.0.2 on one of our HA'd 3050 pairs and have a couple problems. One is the decrypt issue listed above. The second is that every 1-2 weeks, the IPSEC engine crashes which brings down all of our VPN connections. Any attempt at troubleshooting (viewing logs basically) causes the dataplane to crash. Support is aware but it is taking quite a while to identify the cause. ... View more

I've got about 1k users and I am decrypting all traffic. Currently running 7.0.1 on a pair of 3050s. 7.x has definitely improved the situation as they fixed a bug that prevented many pages from loading even with the unsupported cipher bypass enabled. You still run into situations like the one you described, but not nearly as many as before. I generally have 2-3 unblock requests per week so it is managable for now. I expect that number to go up in the future as more sites begin using cipher suites that the Palos can't handle. I'm hoping Palo is putting time into supporting more suites as decryption is one of the foundations of their app-id.   ... View more