BGP and Firewalls...

David david at davidswafford.com
Fri Dec 9 10:05:41 CST 2011


SSL interception was the most painful -- PaloAlto finally confirmed it as a bug in 3.1.9, havnt upgraded yet.  it basicall eats ssl traffic sporadically.

had another issue during go-live where a "commit" caused the box to crash (3.1.9)

and anothere during that same week where a malformed ssl packet crashed the dataplane.

all cases involved significant interruptions because most did not trigger ha-related failovers.  palo also support was extremely slow in all cases weve had and from that perspective alone i would not put all of my eggs into it.  great box for web filtering from a feature perspective, but my bluecoats were much more stabile in their 4 yr life than the first 2weeks on our 2050s

david.

Sent from an email server.

On Dec 8, 2011, at 10:11 AM, "Gregory Croft" <gcroft at shoremortgage.com> wrote:

> What kind of Bugs are you running into? 
> I have two PA500's at the moment and haven't really had any issues with
> web filtering. 
> 
> 
> 
> Thank you, 
> Gregory S. Croft 
> 
> -----Original Message-----
> From: David [mailto:david at davidswafford.com] 
> Sent: Thursday, December 08, 2011 9:50 AM
> To: Gregory Croft
> Cc: <nanog at nanog.org>
> Subject: Re: BGP and Firewalls...
> 
> I wouldn't do it.  We have 8 x PA-2050s and run into a lot of wierd
> bugs.... (just doing web filtering)
> 
> David
> 
> Sent from an email server.
> 
> On Dec 7, 2011, at 12:31 PM, "Gregory Croft" <gcroft at shoremortgage.com>
> wrote:
> 
>> Hi All,
>> 
>> 
>> 
>> Does anyone have any experience with using firewalls as edge devices 
>> when BGP is concerned?
>> 
>> Specifically the Palo Alto series of devices. 
>> 
>> 
>> 
>> If so please contact me off list. 
>> 
>> 
>> 
>> Thank you. 
>> 
>> 
>> 
>> 
>> 
>> Thank you,
>> 
>> Gregory S. Croft
>> 
>> 
>> 
>> 
>> 



More information about the NANOG mailing list