Management Articles

Featured Article
This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.   Assumptions You have a configuration on your Palo Alto Networks firewall. An instance of Panorama is up and running with the same version of PAN-OS (or higher). You have Web and CLI administrator access to both the firewall and Panorama. The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings The firewall's serial number has been added to Panorama and a Panorama commit has been completed Panorama shows that the firewall is connected in Panorama > Managed Devices Steps On the Panorama, navigate to Panorama > Setup > Operations Click "Import device configuration to Panorama." Select the appropriate device and name the template and Device Group Name accordingly. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations. Once you click “OK” the configuration of the firewall will be imported to the Panorama.       Commit locally to Panorama to save the new Device Group and Template created by the import. Push the imported configuration back to the firewall. On the Panorama, navigate to Panorama > Setup > Operations Click on "Export or push device config bundle" Choose either "Push & Commit" or "Export."    Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall. When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below:   Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:   Note:  The above two options,  ("Push & Commit" & "Export")  are available only for firewalls running PAN-OS 6.0.4 and later releases. After this is performed, you should Push to Devices and select the options  "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.     Caveats and important notes: -If you had previously broken a firewall off from Panorama support under Device > Setup > Panorama Settings > Disable Panorama Policy and Objects/Disable Device and Network Template and were now re-importing it into the same or another Panorama, you WILL have to ensure those options are enabled again to receive the Push and Commit or Export. The Push and Commit would delete all local information but leaving the options to Disable Panorama's config will prevent Panorama from giving it any configuration, including management IP and default gateway (so only Console access would be possible at that time.)   -If multiple devices are being imported and then moved to one device group, they MUST be imported into their own new Device Group/Template and follow steps as mentioned above. Only once they are showing properly in their own Device Groups/Templates and have received all configuration pushed from Panorama can you place them into a single Device Group/Template, after which you must Commit locally to Panorama and then Push to Devices while  selecting "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.   -If importing a new device into Panorama via the Import Device Configuration to Panorama option, after adding it's serial number to Panorama's Managed Devices you must ensure it is NOT a part of a Device Group/Template before performing the import, as it will not show as an available device to import the configuration   -When performing the Import, ONLY the Running Config on the firewall is imported. If any changes were made and are only in the Candidate Config (not pushed to the firewall) then they will NOT be imported.
View full article
achalla ‎08-07-2018 05:36 AM
6 Replies
The below table shows the relative mapping between BrightCloud URL categories and PAN-DB URL categories.  As part of the PAN-DB license activation process, if existing URL filtering profiles are found, PAN-OS will automatically map those policies to use the new PAN-DB categories using the mapping below.  In the case of N:1 mappings, the most severe action will be used for the new PAN-DB category.   As always, please be sure to save your configuration before making any changes, and double-check that the URL profile is correct after the migration process.   For a list of PAN-DB categories and their descriptions, please reference:   BrightCloud Category PAN-DB Category Abortion Abortion Abused Drugs Abused Drugs Adult and Pornography Adult Alcohol and Tobacco Alcohol and Tobacco Auctions Auctions Bot Nets Command and Control Business and Economy Business and Economy Cheating Questionable Computer and Internet Info Computer and Internet Info Computer and Internet Security Computer and Internet Info Confirmed SPAM Sources Malware Content Delivery Networks Content Delivery Networks Cult and Occult Religion Dating Dating Dead Sites Insufficient-Content / Parked Dynamically Generated Content N/A (no mapping as URL will be categorized based on the content) Educational Institutions Educational Institutions Entertainment and Arts Entertainment and Arts Fashion and Beauty Society Financial Services Financial Services Games Games Government Government Gross Questionable Hacking Hacking Hate and Racism Extremism Health and Medicine Health and Medicine Home and Garden Home and Garden Hunting and Fishing Hunting and Fishing Illegal Questionable/Copyright-Infringement Image and Video Search Search Engines Individual Stock Advice and Tools Stock advice and tools Internet Communications Internet Communications and Telephony Internet Portals Internet Portals Job Search Job Search Keyloggers and Monitoring Malware Kids Society Legal Legal Local Information Travel Malware Sites Malware Marijuana Abused Drugs Military Military Motor Vehicles Motor Vehicles News and Media News not-resolved Not-resolved Nudity Nudity Online-gambling Gambling Online Greeting cards Entertainment and Arts Online - music Music Online - personal-storage Online storage and backup Open HTTP Proxies Proxy Avoidance and Anonymizers Parked Domains Parked Pay to Surf Web Advertisements Peer to Peer Peer-to-peer Personal sites and Blogs Personal sites and blogs Philosophy and Political Advocacy Philosophy and Political Advocacy Phishing and Other Frauds Phishing Private IP Addresses Private IP Addresses Proxy Avoidance and Anonymizers Proxy Avoidance and Anonymizers Questionable Questionable Real Estate Real Estate Recreation and Hobbies Recreation and Hobbies Reference and Research Reference and Research Religion Religion Search Engines Search Engines Sex Education Sex Education Shareware and Freeware Shareware and Freware Shopping Shopping Social Networking Social Networking Society Society SPAM URLs Malware Sports Sports Spyware and Adware Malware Streaming Media Streaming Media Swimsuits & Intimate Apparel Swimsuits and Intimate Apparel Training and Tools Training and Tools Translation Translation Travel Travel Unconfirmed SPAM Sources Malware Unknown Unknown Violence Questionable Weapons Weapons Web Advertisements Web Advertisements Web based email Web-based Email Web Hosting Web Hosting   owner: dyang
View full article
dyang ‎01-10-2018 04:51 PM
21 Replies
Overview This document describes how to move from PAN-DB URL Filtering license to BrightCloud URL Filtering license on a Palo Alto Networks device.   Steps   From the WebGUI, go to Device > Licenses and click "Retrieve license keys from licenses server" under License Management. The BrightCloud Url Filtering section will appear when the BrightCloud licenses have been successfully retrieved. Note: In a High Availability (HA) environment, bring the device into the non-functional state in order to change the URL Filtering database.   Click "Activate" under the BrightCloud URL Filtering section:   Activating the BrightCloud URL Database can take a little while  but the WebGUI will reflect the change from PAN-DB to BrightCloud, as shown below:             The same result can also be achieved using the following CLI command: > set system setting url-database brightcloud   owner: hshah
View full article
hshah ‎04-21-2017 04:46 AM
4 Replies
To create a custom report to see the least used rules based on the number of bytes/packets, go through the following steps.   Steps Create one custom report from Monitor > Manage Custom Reports and click on Add. Load Template and select “Top security rules”. Set Database to Traffic Log. The Selected Columns on the right must contain "Rules", "Bytes" and "Count" only. Set Time Frame as desired. Sort by “Bytes” or “Packets”.  All other options can be left as is. You can schedule the report or hit “Run now” to get the report instantly. The output of the report should be similar to the one below. owner: aciobanu
View full article
aciobanu ‎03-17-2017 07:06 AM
5 Replies
Overview This document has two sections. The first part describes the migration process from BrightCloud to PAN-DB if the managed device has Panorama pushed URL Profiles with BrightCloud categories. The latter part explains about migrating a high-availability pair. Note: For a multi-vsys environment, see BrightCloud to PAN-DB Migration with Panorama in Multi-Vsys Configuration.   Migration Process with Panorama Verify Dynamic URL is enabled on the device. > set cli config-output-format set > configure # show deviceconfig setting url If its configured then delete the setting by running the following command: # delete deviceconfig setting url dynamic-url # commit License the Palo Alto Networks device with PAN-DB license and activate the license on the device. Navigate to Device > Licenses Click Retrieve license keys from license server or Activate feature using auth code Download the URL DB initial seed file optimized for a specific region: Navigate to Device > Licenses Click Download under the Palo Alto Networks URL filtering Activate PAN-DB on device (click Device > Licenses). This should fail – commit will fail with error "Details:profiles -> url-filtering -> <Profile-name> -> license-expired Not available for PAN-DB", and local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud.   Switch database on Panorama from BrightCloud to PAN-DB. Command to change DB on Panorama: > set system setting url-database paloaltonetworks Push Panorama configuration to the device with a commit operation. This should report as successful. However, the device will show BrightCloud from a licensing perspective, though URL objects will show PAN-DB categories. Additionally, if attempting to add a new URL filtering object, it will show PAN-DB categories, but BrightCloud settings. From the device, re-activate PAN-DB. Click Device > Licenses or from the CLI run the command: > set system setting url-database paloaltonetworks Deviceshould be fully migrated to PAN-DB. How to migrate a High-Availability Pair 1. Suspend the passive device. 2. Perform Steps 1 - 4 from the previous section and migrate the passive device to PAN-DB. 3. After confirming that the passive device is successfully migrated, bring the passive device functional. High-Availability will not be formed due to the URL filtering database mismatch. 4. Suspend the Active device.  Note: There will be a short downtime when migrating a high-availability pair from Brightcloud to PAN-DB as each device must be brought to  non-functional state in order to change the URL Filtering database. 5. Perform Steps 1 - 4 from the previous section and migrate the active device to PAN-DB. 6. After confirming that the active device is successfully migrated, bring the active device functional. High-Availability will come be formed as soon as the active device comes back up.   owner: kalavi
View full article
kalavi ‎04-20-2016 04:48 AM
5 Replies
Question Does PA-3060 support PAN-OS versions released prior to PAN-OS 6.1.0 ?  Answer No, The PA-3060 model in the PA-3000 series does NOT support PAN-OS versions released prior to 6.1.0.   The PA-3060 hardware includes  the new 10G SFP+ ports and only PAN-OS 6.1 and above support this hardware.  An internal check has been programmed for this device to not fetch any versions prior to PAN-OS 6.1.0 from the software update server and any attempts to manually load older versions would also fail. This behavior is by design to avoid any unforeseen issues due unsupported PAN-OS versions. The PA-3050 and PA-3020 devices CAN run older PAN-OS versions if desired. Please Note: if you manually upload and install any software prior to PAN-OS 6.1, you will get the following error while trying to install:
View full article
syadav ‎01-04-2016 12:54 PM
0 Replies
1 Like
Overview This document describes how to migrate from BrightCloud to PAN-DB database if the managed device has Panorama pushed URL Profiles with BrightCloud categories and is configured in multi-vsys mode. Note: For a single vsys environment, see BrightCloud to PAN-DB Migration Process with Panorama .   Steps Verify whether Dynamic URL filtering is enabled on the device. > set cli config-output-format set > configure # show deviceconfig setting url If it is configured, then delete the setting by running the following commands: # delete deviceconfig setting url dynamic-url # commit License the Palo Alto Networks device with PAN-DB license and activate the license on the device. Navigate to Device > Licenses Click Retrieve license keys from license server or Activate feature using auth code Download the URL DB initial seed file optimized for a specific region.   Navigate to Device > Licenses   Click Download under the Palo Alto Networks URL filtering [On the firewall]: Activate PAN-DB (Device > Licenses). This should fail. That is the commit will fail and the local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud. [On Panorama]: Switch database on Panorama from BrightCloud to PAN-DB with the following command: > set system setting url-database paloaltonetworks [On the firewall]: Remove the Panorama-pushed shared configuration on the firewall. Navigate to Device > Setup > Panorama Settings and click “Disable Panorama Policy and Objects”, click OK to confirm. Note:  In the dialogue that appears, do not check the box for “Import Panorama Policy and Objects before disabling”. [On the firewall]: Enable Panorama to again push the shared configuration to the firewall. Navigate to Device > Setup > Panorama Settings and click “Enable Panorama Policy and Objects”, click OK to confirm. [On Panorama]: Push the Panorama config one vsys at a time from Panorama [On the firewall]: Re-activate PAN-DB.   > set system setting url-database paloaltonetworks   In a High Availability (HA) environment, once the device is activated it will come up as "Non-functional" due to DB mismatch with the peer. Follow the additional steps below for HA environment : Suspend the Active/Primary device, this will make the secondary device functional. Follow steps 3 through 9 above. Note: Both devices are now using PAN-DB, once both devices are functional, failover back to the original Primary/Active device.   owner: pchanda
View full article
pchanda ‎08-19-2015 02:40 PM
3 Replies
Learn how to work through issues related to using auto-zone assign while using the PA Migration tool for Cisco's ASA configuration.
View full article
vikasvishwanath ‎08-18-2015 02:32 PM
1 Reply
Overview This document describes how to restore the managed device configuration from Panorama to a Return Merchandise Authorization (RMA) when there is no device-state or running config available from the affected device. Steps: Export the managed device configuration from Panorama to the local drive:How to Export Backups of Managed Device Configuration Files from Panorama Import the managed device configuration from the local drive to the RMA device. Go to Device > Setup > Operations > Import. Import the named configuration. Load the device configuration to the firewall. Go to Device > Setup > Operations > Load. Load the named configuration snapshot. Commit the configuration. Note: Please refer to the Panorama Admin guide for How do I replace a managed device with a replacement device (RMA of the firewall)?
View full article
ssastera ‎12-07-2014 06:50 PM
2 Replies
Overview Panorama has 3 possible options at install: Create a very large disk partion and install Panorama and DB (Seldom used) Create 35G partition for Panorama and then an external Disk, up to 2TB for log storage. 35G Panorama image and log to NFS mount. If option 2 is performed, then follow one of the steps below to migrate the logs: Take a snapshot of the log partition and move it to the new server. Have the old Panorama do a new NFS mount. Migrate the existing logs to the NFS mount. The new Panorama can just mount the same server/direct. Use SCP to retrieve logs from the old Panorama and transfer to the new server (or another device). owner: skrall
View full article
panagent ‎01-10-2012 03:50 PM
2 Replies
Overview This document describes how to manually import the policies of an existing Palo Alto Networks firewall into Panorama.  Addresses, address groups, services and policies will be imported so the same policies can be applied to other firewalls that are managed by Panorama. Assumptions You have a PAN firewall that has a configuration on it. An instance of Panorama is up and running with the same version of PAN-OS (or higher). You have Web and CLI administrator access to both the firewall and Panorama. Steps You will need a device group on Panorama. The policies will be imported into this device group. If you do not already have a device group created for this purpose, use the Panorama GUI to create one.  There is no need to assign any devices to this group at the moment. Here is an example group: If you created a new group, commit the change in Panorama. SSH to the firewall whose configuration is to be imported. Once in the firewall, configure the CLI to present its output in set format by issuing the command: set cli config-output-format set Then go to into configuration mode.  Here is an example: When converting an existing firewall configuration via the set commands into Panorama, you are going to need to address different parts of the configuration in order.  The following are converted one at a time.  As of PAN-OS 3.1.7, the order follows the flow shown below. Item CLI Command Address show address Address Groups show address-group Services show service Service Groups show service-group Log Settings show shared log settings Server Profile show shared server-profile Application show application Application Filters show application-filter Application Groups show application-group Application Override show rulebase application-override Security Profiles show profiles Security Rules show rulebase security rules Importing Address Objects Show, convert, and import address objects from the firewall into Panorama. On the firewall, issue the command: show address to display all address objects.  Your output should look similar to this: Copy all of the addresses set commands to a text file. Once your addresses are in a text file, we will perform a search and change set address to set shared address. Once you have replaced all instances of this, your set objects from the firewall should look like: SSH to the target Panorama server.  To be able to enter multiple commands at one time, you will need to turn on scripting-mode in Panorama. Set the CLI to scripting-mode, and enter config mode: set cli scripting-mode on configure Copy the modified set commands from the text file and paste them at the Panorama command prompt: Make sure you do not see “invalid syntax” errors.  If you cannot paste multiple lines at a time, you may need to experiment with different ssh programs/different operating systems. Note: In scripting-mode, auto-complete is not enabled. Thus if you need to check the syntax of a command, you will need to disable scripting mode, test the command, then re-enable scripting mode. In the Panorama GUI, go to the Objects tab > Addresses screen, and confirm you can see the imported addresses there.  Make sure all your address objects were imported. Importing Address Groups, Services, etc. Conversion of other components is performed in the same way.  Examine the second column below. Execute each command on the firewall, copy the output to your text file, edit your text file, then copy those new commands into Panorama. Note: When doing this make sure whatever editor you are cutting and pasting into does not mistakenly cut command lines where they were wrapped in the console.  If you get invalid syntax warnings, check your input to see if there were any set commands which were chopped during the copying process. Policy Component Show Command Search Text Replace Text Show command Search Text Replace Text Address show address set address set shared address Address Groups show address-group set address-group set shared address-group Services show service set service set shared service Service Groups show service-group set service-group set shared service-group Log Settings show shared log-settings N/A N/A Server Profile show shared server-profile N/A N/A Application show application set application set shared application Application Filters show application-filter set application-filter set shared application-filter Application Groups show application-group set application-group set shared application-group Application Override show rulebase application-override set rulebase application-override set device-group <device group> pre-rulebase application-override STOP once you get to the copying of the security rulebase into Panorama. Importing the Security Rulebase Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none: If you just modified your firewall configuration, commit your changes. On the firewall, issue the command: show rulebase security rules Copy and paste all of the security rules to a text document.  Review the commands to make sure there are no incorrect carriage returns -- those will cause you to import invalid data and possibly create erroneous rules. In the text file, do a search and replace, making sure to use your device group name from step 1: SEARCH: set rulebase security rules REPLACE: set device-group <device group name> pre-rulebase security rules Note: The above replace string assumes that you want to import the policies into your security pre-rulebase. Cut and paste these rules into the Panorama CLI. Initially, cut and paste the very first command, then cut and paste all commands associated with the first rule. This way you can monitor for errors. Once you have a few commands successfully entered, enter the commands in bulk. Once you enter all the commands successfully, you should be able to see your policies in the pre-rulebase for your particular device group. PAN-OS 5.x: Network and device templates were introduced for Panorama in PAN-OS 5.0. In order to import the firewall config into Panorama, please make sure that the Templates are configured in advance with the respective devices added into each template with their configurations (multi-vsys, operational-mode, vpn-disable-mode) in place. For example, to import an interface config run the command: show network interface . Search for set network and replace it with set template (name of the template) config. Conversion for some of the main components are shown below: Component Show Command Search Text Replace Text Network #show network interface #set network #set template (template name) config network Device config #show deviceconfig #set deviceconfig #set template (template name) config deviceconfig To turn off scripting mode: set cli scripting-mode off Commit this config in Panorama. At this point, the firewall policies have been imported and additional firewalls can be added to this device group. Also, these pre-rules can be applied to the newly added firewalls. owner: gmaxwell
View full article
nrice ‎02-17-2011 10:14 AM
7 Replies
PAN-OS has two predefined services, service-http and service-https. To migrate from NetScreen/Juniper's security policies using their predefined service easily, run (copy & paste) the following commands in CLI configuration mode and use it in security policy configuration. Note: Some service names are not exactly the same as the one used by NetScreen/Juniper due to the literal limitation of PAN-OS. set service AOL protocol tcp port 5190-5194 set service APPLE-ICHAT-SNATMAP protocol udp port 5678 set service BGP protocol tcp port 179 set service CHARGEN protocol udp port 19 set service DHCP-Relay protocol udp port 67 set service DISCARD protocol udp port 9 set service DNS protocol udp port 53 set service ECHO protocol udp port 7 set service FINGER protocol tcp port 79 set service FTP protocol tcp port 21 set service GNUTELLA protocol udp port 6346-6347 set service GOPHER protocol tcp port 70 set service GTP protocol tcp port 3386 set service H323 protocol tcp port 1720 set service HTTP-EXT protocol tcp port 8000-8001 set service IDENT protocol tcp port 113 set service IKE protocol udp port 500 set service IKE-NAT protocol udp port 500 set service IMAP protocol tcp port 143 set service InternetLocatorService protocol tcp port 389 set service IRC protocol tcp port 6660-6669 set service L2TP protocol udp port 1701 set service LDAP protocol tcp port 389 set service LPR protocol tcp port 515 set service MAIL protocol tcp port 25 set service MGCP-CA protocol udp port 2727 set service MGCP-UA protocol udp port 2427 set service MS-RPC-EPM protocol udp port 135 set service MS-SQL protocol tcp port 1433 set service MSN protocol tcp port 1863 set service NBDS protocol udp port 138 set service NBNAME protocol udp port 137 set service NetMeeting protocol tcp port 1720 set service NFS protocol udp port 111 set service NNTP protocol tcp port 119 set service NS_Global protocol tcp port 15397 set service NS_Global_Pro protocol tcp port 15397 set service NSM protocol udp port 69 set service NTP protocol udp port 123 set service PC-Anywhere protocol udp port 5632 set service POP3 protocol tcp port 110 set service PPTP protocol tcp port 1723 set service RADIUS protocol udp port 1812-1813 set service Real_Media protocol tcp port 7070 set service REXEC protocol tcp port 512 set service RIP protocol udp port 520 set service RLOGIN protocol tcp port 513 set service RSH protocol tcp port 514 set service RTSP protocol tcp port 554 set service SCCP protocol tcp port 2000 set service SIP protocol udp port 5060 set service SMB protocol tcp port 139 set service SMTP protocol tcp port 25 set service SNMP protocol udp port 161 set service SQL_Monitor protocol udp port 1434 set service SQLNet_V1 protocol tcp port 1525 set service SQLNet_V2 protocol tcp port 1521 set service SSH protocol tcp port 22 set service SUN-RPC-PORTMAPPER protocol udp port 111 set service SYSLOG protocol udp port 514 set service TALK protocol udp port 517-518 set service TCP-ANY protocol tcp port 0-65535 set service TELNET protocol tcp port 23 set service TFTP protocol udp port 69 set service UDP-ANY protocol udp port 0-65535 set service UUCP protocol udp port 540 set service VDO_Live protocol tcp port 7000-7010 set service VNC protocol tcp port 5800 set service WAIS protocol tcp port 210 set service WHOIS protocol tcp port 43 set service WINFRAME protocol tcp port 1494 set service X-WINDOWS protocol tcp port 6000-6063 set service YMSG protocol tcp port 5050 For the following services of NetScreen/Juniper, you can use App-ID instead of service on Palo Alto Networks device: Service Name (JNPR) App-ID Name (PAN) ANY any GRE gre HTTP service-http HTTPS service-https ICMP Address Mask icmp_address_mask (custom) ICMP Dest Unreachable icmp_destination_unreachable (custom) ICMP Fragment Needed icmp_destination_unreachable (custom) ICMP Fragment Reassembly icmp_destination_unreachable (custom) ICMP Host Unreachable icmp_destination_unreachable (custom) ICMP Parameter Problem icmp_destination_unreachable (custom) ICMP Port Unreachable icmp_destination_unreachable (custom) ICMP Protocol Unreach icmp_destination_unreachable (custom) ICMP Redirect icmp_redirect (custom) ICMP Redirect Host icmp_redirect (custom) ICMP Redirect TOS & Host icmp_redirect (custom) ICMP Redirect TOS & Net icmp_redirect (custom) ICMP Source Quench icmp_source_quench (custom) ICMP Source Route Fail icmp_destination_unreachable (custom) ICMP Time Exceeded icmp_time_exceeded (custom) ICMP-ANY icmp_any (custom) ICMP-INFO icmp_info (custom) ICMP-TIMESTAMP icmp_timestamp (custom) MS-AD-BR active-directory MS-AD-DRSUAPI active-directory MS-AD-DSROLE active-directory MS-AD-DSSETUP active-directory MS-DTC ms-dtc MS-EXCHANGE-DATABASE ms-exchange MS-EXCHANGE-DIRECTORY ms-exchange MS-EXCHANGE-INFO-STORE ms-exchange MS-EXCHANGE-MTA ms-exchange MS-EXCHANGE-STORE ms-exchange MS-EXCHANGE-SYSATD ms-exchange MS-FRS ms-frs MS-IIS-COM ms-iis MS-IIS-IMAP4 ms-iis MS-IIS-INETINFO ms-iis MS-IIS-NNTP ms-iis MS-IIS-POP3 ms-iis MS-IIS-SMTP ms-iis MS-MESSENGER msn MS-RPC-ANY msrpc MS-SCHEDULER ms-scheduler MS-WIN-DNS ms-win-dns MS-WINS ms-wins OSPF ospf PING ping SCTP-ANY sctp TRACEROUTE ping To configure the custom App-ID shown in the above list, copy and paste the following commands in the CLI configuration mode: set application icmp_source_quench category networking set application icmp_source_quench subcategory ip-protocol set application icmp_source_quench technology network-protocol set application icmp_source_quench risk 1 set application icmp_source_quench consume-big-bandwidth no set application icmp_source_quench able-to-transfer-file no set application icmp_source_quench used-by-malware no set application icmp_source_quench evasive-behavior no set application icmp_source_quench has-known-vulnerability no set application icmp_source_quench pervasive-use no set application icmp_source_quench prone-to-misuse no set application icmp_source_quench tunnel-applications no set application icmp_source_quench tunnel-other-application no set application icmp_source_quench data-ident no set application icmp_source_quench virus-ident no set application icmp_source_quench file-type-ident no set application icmp_source_quench spyware-ident no set application icmp_source_quench default ident-by-icmp-type 4 set application icmp_any category networking set application icmp_any subcategory ip-protocol set application icmp_any technology network-protocol set application icmp_any risk 1 set application icmp_any consume-big-bandwidth no set application icmp_any able-to-transfer-file no set application icmp_any used-by-malware no set application icmp_any evasive-behavior no set application icmp_any has-known-vulnerability no set application icmp_any pervasive-use no set application icmp_any prone-to-misuse no set application icmp_any tunnel-applications no set application icmp_any tunnel-other-application no set application icmp_any data-ident no set application icmp_any virus-ident no set application icmp_any file-type-ident no set application icmp_any spyware-ident no set application icmp_any default ident-by-ip-protocol 1 set application icmp_timestamp category networking set application icmp_timestamp subcategory ip-protocol set application icmp_timestamp technology network-protocol set application icmp_timestamp risk 1 set application icmp_timestamp consume-big-bandwidth no set application icmp_timestamp able-to-transfer-file no set application icmp_timestamp used-by-malware no set application icmp_timestamp evasive-behavior no set application icmp_timestamp has-known-vulnerability no set application icmp_timestamp pervasive-use no set application icmp_timestamp prone-to-misuse no set application icmp_timestamp tunnel-applications no set application icmp_timestamp tunnel-other-application no set application icmp_timestamp data-ident no set application icmp_timestamp virus-ident no set application icmp_timestamp file-type-ident no set application icmp_timestamp spyware-ident no set application icmp_timestamp default ident-by-icmp-type 13 set application icmp_info category networking set application icmp_info subcategory ip-protocol set application icmp_info technology network-protocol set application icmp_info risk 1 set application icmp_info consume-big-bandwidth no set application icmp_info able-to-transfer-file no set application icmp_info used-by-malware no set application icmp_info evasive-behavior no set application icmp_info has-known-vulnerability no set application icmp_info pervasive-use no set application icmp_info prone-to-misuse no set application icmp_info tunnel-applications no set application icmp_info tunnel-other-application no set application icmp_info data-ident no set application icmp_info virus-ident no set application icmp_info file-type-ident no set application icmp_info spyware-ident no set application icmp_info default ident-by-icmp-type 15 set application icmp_address_mask category networking set application icmp_address_mask subcategory ip-protocol set application icmp_address_mask technology network-protocol set application icmp_address_mask risk 1 set application icmp_address_mask consume-big-bandwidth no set application icmp_address_mask able-to-transfer-file no set application icmp_address_mask used-by-malware no set application icmp_address_mask evasive-behavior no set application icmp_address_mask has-known-vulnerability no set application icmp_address_mask pervasive-use no set application icmp_address_mask prone-to-misuse no set application icmp_address_mask tunnel-applications no set application icmp_address_mask tunnel-other-application no set application icmp_address_mask data-ident no set application icmp_address_mask virus-ident no set application icmp_address_mask file-type-ident no set application icmp_address_mask spyware-ident no set application icmp_address_mask default ident-by-icmp-type 17 set application icmp_redirect category networking set application icmp_redirect subcategory ip-protocol set application icmp_redirect technology network-protocol set application icmp_redirect risk 1 set application icmp_redirect consume-big-bandwidth no set application icmp_redirect able-to-transfer-file no set application icmp_redirect used-by-malware no set application icmp_redirect evasive-behavior no set application icmp_redirect has-known-vulnerability no set application icmp_redirect pervasive-use no set application icmp_redirect prone-to-misuse no set application icmp_redirect tunnel-applications no set application icmp_redirect tunnel-other-application no set application icmp_redirect data-ident no set application icmp_redirect virus-ident no set application icmp_redirect file-type-ident no set application icmp_redirect spyware-ident no set application icmp_redirect default ident-by-icmp-type 5 set application icmp_destination_unreachable category networking set application icmp_destination_unreachable subcategory ip-protocol set application icmp_destination_unreachable technology network-protocol set application icmp_destination_unreachable risk 1 set application icmp_destination_unreachable consume-big-bandwidth no set application icmp_destination_unreachable able-to-transfer-file no set application icmp_destination_unreachable used-by-malware no set application icmp_destination_unreachable evasive-behavior no set application icmp_destination_unreachable has-known-vulnerability no set application icmp_destination_unreachable pervasive-use no set application icmp_destination_unreachable prone-to-misuse no set application icmp_destination_unreachable tunnel-applications no set application icmp_destination_unreachable tunnel-other-application no set application icmp_destination_unreachable data-ident no set application icmp_destination_unreachable virus-ident no set application icmp_destination_unreachable file-type-ident no set application icmp_destination_unreachable spyware-ident no set application icmp_destination_unreachable default ident-by-icmp-type 3 set application icmp_time_exceeded category networking set application icmp_time_exceeded subcategory ip-protocol set application icmp_time_exceeded technology network-protocol set application icmp_time_exceeded risk 1 set application icmp_time_exceeded consume-big-bandwidth no set application icmp_time_exceeded able-to-transfer-file no set application icmp_time_exceeded used-by-malware no set application icmp_time_exceeded evasive-behavior no set application icmp_time_exceeded has-known-vulnerability no set application icmp_time_exceeded pervasive-use no set application icmp_time_exceeded prone-to-misuse no set application icmp_time_exceeded tunnel-applications no set application icmp_time_exceeded tunnel-other-application no set application icmp_time_exceeded data-ident no set application icmp_time_exceeded virus-ident no set application icmp_time_exceeded file-type-ident no set application icmp_time_exceeded spyware-ident no set application icmp_time_exceeded default ident-by-icmp-type 11 owner: kmiwa
View full article
kmiwa ‎02-07-2011 08:52 PM
2 Replies
Ask Questions Get Answers Join the Live Community