This will help to crack your interview --

Key Observations

1. Symptom Analysis:

   • Random periods of packet loss, latency, and performance degradation.

   • Duplicate packets when pinging the ISP gateway.

   • Dropped packets on the inside interface.

   • Extremely high latency from the firewall's interfaces, while network core switches maintain normal sub-10ms latency.

2. Cause:

   • GlobalProtect Client Misbehavior:

     • Clients with GlobalProtect enabled caused significant traffic generation even without being authenticated.

     • Zoom meetings or heavy applications exacerbated the traffic load, creating a near DDoS scenario on the active firewall.

   • Traffic Looping:

     • Misconfigured routing or firewall policies caused traffic to loop or flood the data center firewall.

     • HQ firewall allowed GP clients to directly access the data center in-office, which led to overwhelming traffic bursts.

3. Infrastructure Context:

   • HA pair in active/passive mode showed identical symptoms, ruling out hardware issues.

   • Traffic overload of 300,000 packets/sec was overwhelming the data center's firewall.

Step-by-Step Diagnosis and Resolution

Step 1: Analyze Traffic Flow

• Use packet captures on the outside and inside interfaces to identify abnormal traffic patterns.

• Identify heavy traffic sources and confirm their origin.

• Example: Analyze traffic between HQ clients (GlobalProtect users) and the data center to pinpoint excessive traffic spikes.

Step 2: Debug the GlobalProtect Clients

• Check GlobalProtect client logs for repetitive connection attempts or high traffic generation.

• If needed, restrict or block GP traffic to the data center while on the HQ network (as implemented in your solution).

Step 3: Prevent Traffic Overload

• Traffic Segmentation:

  • Prevent GlobalProtect traffic from HQ to the data center using a rule or policy, as done in your solution.

• Rate Limiting:

  • Implement rate-limiting rules for GlobalProtect traffic to avoid overwhelming the data center firewall.

• Idle Session Timeout:

  • Configure shorter timeout intervals for GP clients to minimize prolonged traffic issues from inactive sessions.

Step 4: Examine and Optimize MTU/MSS

• Adjust MTU and MSS settings for optimal TCP packet handling:

  • Example: MSS = 1380 and MTU = 1492 can help reduce packet fragmentation issues.

• If duplicate packets persist, it could indicate a problem with ISP or physical interfaces.

Step 5: Validate the ISP Connection

• Work with your ISP to investigate:

  • Duplicate packet generation on their gateway.

  • High latency and packet loss observed on their side of the connection.

• Ensure the physical interface between the firewall and ISP is error-free.

Step 6: Monitor and Log High Traffic

• Use Palo Alto's logging and monitoring tools:

  • Identify traffic spikes using App-ID or Zone monitoring.

  • Enable "GlobalProtect Status" and "System Resources" to identify overload or saturation.

Best Practices for Avoiding Similar Issues

1. Segregate Traffic:

   • Use security policies to block or restrict unnecessary traffic between HQ and the data center.

   • Explicitly define which traffic is allowed to traverse between sites.

2. GlobalProtect Configurations:

   • Enable split tunneling to reduce traffic sent to the data center unnecessarily.

   • Ensure proper client settings to prevent unintended reconnections or excessive authentication attempts.

3. Rate Limiting and QoS:

   • Use rate-limiting policies for specific application traffic, especially for bandwidth-intensive apps like Zoom.

   • Apply Quality of Service (QoS) policies to prioritize critical traffic.

4. Proactive Monitoring:

   • Regularly check for unusual traffic patterns using Panorama or other monitoring tools.

   • Implement automated alerts for high traffic thresholds.

5. Firewall Resource Allocation:

   • Ensure adequate hardware sizing for expected traffic loads.

   • Review firewall session table capacity and resource utilization during peak times.