SSL Weak CBC Mode Vulnerability

Our box was scanned by Qualys and the SSL VPN portal cames up with the following message:

If possible, upgrade to TLS v1.1 or TLS v1.2. If upgrading is not possible, then disabling CBC mode cipher will remove the vulnerability.

Any ideas how to disable

Advantages of Virtual Systems...

...What are the advantages of using Virtual Systems, other than being able to divide Management and Reporting of "Virtual" firewalls.  In my case, I have a DMZ, Wireless, Trust and Untrust networks connected to a PA 5020.  Should I split up the DMZ a

Forwarding mDNS (multicast DNS specifically for Apples' Bonjour Service)

Hi Guys,

What support does the Palo Alto Firewall offer in terms of forwarding on mDNS (multicast DNS, more specifically Apples Bonjour Service)?

I have a customer where they have the student and staff wireless network on a seperate VLAN, with the Palo

Unknown user after install and configure UI Agen

Dear All,

     My PAN is 500 with 4.1.6 OS. I just migrate PAN agent to UI agent with version 4.1.6-5.  After installation and configuration, I check the user-mapping the result show as following;

> show user ip-user-mapping all

IP              Ident. B

how to block skype for 'trust' zone and allow for 'trust2' zone

Hi,

I'm trying to block skype for one group of users (whitch are in 'l3-trust' security zone) and allow for second group (which are in 'l3-trust2' security zone).

Both zones: 'l3-trust' and 'l3-trust2' are source-NATed to 'l3-untrust' zone, one interfa

Captive Portal on connecting to SSID rather than via Browser for Apple devices - is it possible?

Hello Everyone,

I was just wondering if it is possible to have captive portal pop up on connecting to a SSID rather than having the captive portal page upon accessing any website for apple devices?  Captive Portal works on accessing any website using

AD Groups in Firewall Policy - Inconsistent Behaviour

I have two issues with managing firewall policies when using AD groups; running 4.1.7 - so am using the 'on-hardware' group retrieval rather than the PAN Agent.

1) When adding new groups to be mapped they do not appear in the GUI i.e. cannot be select

Production Code Recommendations

I am getting ready to move two 5050s into production and would like to know what release code to start with based on your recommendations. I assume that 4.1.10 would be the best choice, but 5.0 has been out for a little while now. I normally wait for

Best Practises from a Performance perspective.

Hello Everyone,

Could someone shed some light on configuration best practises that can optimise performance from GUI , Security rule processing etc ?

For example , I was told that using a App Group with a large number of Apps to whitelist might have an