Christmas wishlist (DNS ALG, address space overlap, IPv6, alow nothing)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Christmas wishlist (DNS ALG, address space overlap, IPv6, alow nothing)

Dear all,

 

To start with, i like to say i love working with aploalto, really nice platform.

We are useing the paloalto as an sort of advance VPN concentrator with all the bells and whistles.

I want to share some of the features i desperately lack that i never new i would need in my project.

The reason i'm sharing is i would love to know who also would like to see these features.

 

1: I would love to have DNS ALG, aka DNS doctoring. The only way i'm able to work arround this now (without creating a sepperate server to do this) is to make use of an ellaborate sceme of DNS proxies wich i have to feed manual translations :S. (it would also be nice if i would be able to create my own alg rules)

2: I would love it if i could use destination nat without doing aa seccond route lookup after the nat has taken place, i already said my packet should go out a certain interface there is no need to look again. The nice thing about not doing that lookup is tha i could have two exactly the same ip scopes on two different interfaces (of course with a transit network that does not overlap)

3: I would love having ip6 functional in my global protect client tunnel

4: I would like default rules to be opt in instead of opt out, I main if I add an acl and I want it to be blocking unless a specific requirement is met. example: permit from nowhere and nobody to nowhere and no application. Because if someone adds a rule instead of copying one and makes a mistake, the preferred action would be to deny the traffic.

 

Really anticipating all replies.

 

Merry christmas

 

 

4 REPLIES 4

L4 Transporter

Hello,

 

You can always submit feature requests your PAN systems engineer for these.

 

But for number 4 you can do this currently as long as you are running version 6.1 or higher, just override the default interzone rule and select action to allow, this way everything is allowed unless you specifically add in a rule to block it.

 

I would like to see support for RFC 6106. http://tools.ietf.org/html/rfc6106

 

hope this helps,

Ben

Thanks for the reply, I'll give that a go as wel. But regarding number 4, i noticed my explenation was a bit vage. I tried to fix that. Your solution stil gives the same rusult, to much privelidge. If you have a default deny, and you add a rule and the default settings lean towards allowing everything, then if you're not carefull there is a potential for allowing to much.

There are no ACL's with Palo Alto. If you are talking about a scurity rule/policy, then the default action is to allow, which you have to change the behavior to deny the traffic if that is what you want.

The way you configure the policy will do what you want.. Use Rule #5 before 6, if 5 is not used then 6 will be used. Make sense?  The traffic will look through the Security Policy until it finds a matching rule, to either be allowed or denied.

 

Also, there are PBF (Policy Based Forwarding) rules that can be configured. But that is something completely different, usually only when Dual ISP's are involved.

Here are some use examples for an older version:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Policy-Based-Forwarding/ta-p/54408

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

jdelio,

 

Thanks for your reply, but i would like you to read my posty again, because your not reponding to whats there.

 

  • 2470 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!