General Topics

Resolved! Problem with multiple Netflow profiles

Hello,I encounter a problem using multiple netflow profiles on our PA-500 running PAN-OS 4.1.8I have defined 3 different neflow profiles, each refers to a specific port on the same host.Each profile is assigned to exactly one physical layser 3 interface.The first profile delivers reasonable data to my flow receiver (Paessler PRTG Network Monitor...

Block page and SSL

Hey all,So, we have a need to block everyone but a small AD group access to a couple pages. Now, we don't want to just "deny" them in the rule (we have a comfort page that promps them they are blocked and allows them to request access) - I don't want to see all those tickets about a site not loading. So, here is what I did:Rule 1 Allow: Anyon...

Resolved! What is hidden locally on a device when being managed by Panorama?

When you configure a PA device to be managed by Panorama the first thing that (when you login through web-gui directly to the managed device) goes away is the contents of running-config.xml regarding address objects and security policies.These settings can instead be obtained by login through CLI/SSH and run "show config pushed".But what about P...

Resolved! Application = insufficient-data?

We have some outgoing UDP traffic that shows up in the traffic log with "insufficient-data" in the application field. The problem is that this traffic is being allowed through the firewall because it's being matched to a rule that allows FTP traffic through. What does the firewall mean by "insufficient data", and why does it think it's FTP traff...

Some of traffic logs are not converted,is it a bug ?

When upgrading from PAN-OS 4.0.9 to 4.1.7, some of traffic logs are not converted from the old logs.It seems like the logs of about one hour before upgrading are unavailable. I am using PA-2050 and PA-5020.

Alternative to sAMAccountname ,when using Ldap for Authentication

Hi,When we use to authenticate users through AD, we configure LDAP profile and in Authentication profile tab.We write "sAMAccountname" for attribute at this window.We want to change this attribute and we want users not to log in with just username; We want them to log in with username@domain or domain\username so What attribute should we use ?...

Resolved! Panorama license limit

Does anyone know if a customer owns a Panorama 25 device license and wants to add device #26, will it not allow them to add the 26th device or will it?Thx

Threat exception for selected hosts

Hi,We have defined vulnerability group which consists of AV, Anti-Spyware and Vulnerability profile. The vulnerability profile is configured to block critical events and alert on high and med. I have a need to except few hosts which are alerting for SSH brute force (high). How do I achieve this? Assuming if I configure new profile group and poli...

Resolved! 4.1.7 inspection causes corrupt download and speed issues

I have two 2050's in an HA pair A/P on 4.1.7. I have a BGP setup with 100Mbps on one link and 250Mbps on another, and Gb to the LAN and DMZ. I have transferred just over 3G through the PA in the last 60 minutes.When I turn on inspection (Antivirus, IPS/IDS, Data Filtering, File forwarding) I see corruption in downloads. For example, when d...

Exclude iTunes/App Store from decryption

I am using SSL decryption for all outbound traffic. Prior to the decryption rule I have a rule to attempt to exclude iTunes and App Store traffic from decryption. The rule seems to be working, but the App Store fails with "NSURLErrorDomain error -1012". When I turn off all decryption the App Store works.My rule is setup for no-decrypt from any...

Resolved! Panorama - AV and Threat version on individual device in one view?

Hi,Is it possible to view AV and Threat version running on all devices under Panorama on one page? Panorama -> Managed Devices shows IP address, serial number etc. I would like to know if the similar option is available for AV and threat versions.

Resolved! easy question, routing problem

Hello,I think it's an easy question, but I can't solve it.This is the situation. We have two routers.Router 1 (bintec RT1202) has two ethernet interfaces with different subnets sub1 (172.16.10.0/24), sub2 (172.16.20.0/24).Router 2 is our palo alto PA-200. It has one ethernet interface sub1(172.16.20.0/24)(just for the test).Now I want to make a ...

Netconnect can't install normally,after update to Java 7update9

Hi all,After update to java 7update9 , when i use sslvpn and install pan.jnlp,my install windows display was not normally.(error.png)Client Use Win7 X64 have this issue.WindosXP work normally.Has anyone face this issue?Regards,Jim

Resolved! Can AD User Agent 5.0.0-22 be used with PanOS 4.1.x?

I have a large number of AD servers at remote locations all running AD User Agent 4.1.6-5. I do have problems with PanOS 4.1.7 talking to this user agent; it forgets who is signed onto a PC.Can I install User Agent 5.0.0-22 on my AD servers and expect my 4.1.7 - 4.1.9 PanOS firewalls to talk to this new user agent, as well as function properly?

Resolved! Panorama 4.1.8 LDAP Failure

Having upgraded our Panorama from 4.1.7 to 4.1.8 - we can no longer use the LDAP user authentication.The user constantly gets "invalid username or password" (same message on the Panorama) - yet this worked without any problems with 4.1.7On Panorama - one can see that in the LDAP profile - the Base option is never getting populated (dropdown opti...

Discussions

Resolved! Problem with multiple Netflow profiles

Block page and SSL

Resolved! What is hidden locally on a device when being managed by Panorama?

Resolved! Application = insufficient-data?

Some of traffic logs are not converted,is it a bug ?