About ${userLoginName}

Hello all, I enabled DNS Sinhole on my palo and it is working fine. But now I'm interested in the DNS security license. Please help me understand some things? According to PA documentation since I have TP\\AV\\WF licenses, when a DNS query is made to a bad site the firewall will check its local DNS signatures which will hold a capacity of 100,000 signatures. So there's a chance that a bad query is not seen. However with the DNS seurity license, DNS signatures are stored in the cloud, it has an infinite amount of DNS signatures, and the DNS requests are real-time analysis and you get instant access to newly added DNS signatures, no need to wait for a download from your dynamic updates AV. My questions: 1. When I look at how to enable DNS security from their documentation, it looks exactly like how I have it now with only DNS sinkhole. So I guess I would just add the DNS security license and assume its working? 2. When a DNS query is made from a client on my network, by the time it does a live real-time lookup\\analysis, will the end user see any "lag" on their web request a timeout perhaps? 3. Will the DNS request use the local cache on the firewall (the 100,00 signatures), and if it doesn't find anything, it will then use the cloud, or it goes directly to the cloud? I wish Palo had more in depth documentation on how these things work\\flow, like a deeper dive. ​ Also, what are your thoughts on DNS security, have you found it to be useful? ... View more

  Hello all, Is there an official document from Palo Alto that lists their MFG part #'s? For example if I'm looking to purchase a 1 year subscription for my 3220 stand alone firewall I need to know the license part # to purchase. The frustrating part is that different websites list different MFG for the same product and its confusing. For example one may list it as this: MFG#: PAN-PA-3220-ADVURL While another website lists it completely different. ... View more

Hello all, I have the regular PAN-DB URL filtering and was considering the Advanced URL filtering.   From what I understand after reading the documentation, if the PA URL DB recognizes a URL as risky, it sends it to the Advanced URL DB in cloud for real time analysis. Without the advanced URL feature, I'm open to a zero day attack because the URL database on the firewall may not have been updated just yet. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/url-filtering-features/advanced-url-filtering.html   "Malicious URLs can be updated or introduced before URL filtering databases have an opportunity to analyze the content; this lag time gives attackers an open period from which they can launch precision attack campaigns on the firewall"   I have my Application and Threats updates to download and install every 30 minutes. So I'm figuring this "lag time" is the 30 minutes window, correct? Also, it says it only forewards URL's that are designated as risky. Wanting to know how many "risky" URL's my current standard URL license detects I want to see if its worth it. But, how do I view "risky" URL's?   In your opinion is it worth the purchase, have you found it to be a valuable asset? ... View more

I've just upgraded to 10.1.4-h4 from 9.x code and have noticed that the traffic logs take at least 30 seconds or longer to load. On the previous code it was only a couple of seconds. Mgmnt pane cpu is very low 5%.   Anyone have similar problems and fixes? Thank you. ... View more

Hello, I've been looking a history entries in our threat log and it seems to me that most of the default settings for vulnerabilities - "action" are set to low, for example to "alert" - although they classify the threat as "medium" or "high". For example in the screenshot below the threat of this hacktool is set to "alert". Shouldn't this be a set at east to a drop\reset, etc or something that doesn't allow it? What's Palo's thinking behind this? Thanks. ... View more

Hello, I configured zone protection, (reconnaissance protection), and enabled the tcp\udp port scan and host sweep and chose the default as action "alert". Afterwards, I noticed in the monitor logs this vulnerability appeared, "ZGrab Application Layer Scanner Detection". The severity is medium. Where do I change the action? I can change it in the reconnaissance protection tab, or I could change it in the Vulnerability protection profile exceptions tab, what is the difference? Also, is this a tcp\udp port scan or a host sweep? the detailed log view doesn't specify. Also, why wouldn't something thats considered a threat such as a scan on the network only be set to "alert" by default?         ... View more

Hello, On Device>Certificate Management>Certificates - I have a IntermediateCert, under the RootCert, that is expiring. I can easily renew it, (It's self signed), but I'm trying to understand what its being used for. I haven't found any information that easily explains it, (just basically how to install, renew, etc). How can I find out what this certificate is for, whats using it and what its purpose is? Also what would the benefit be of not having it self signed? Thanks. ... View more

Hello, If I have a policy for example that allows application "web-browsing" and service is "port 500" - does that mean that the rule will allow if the application is either "web browsing" OR "service 500" or the rule will be allowed if the application is "web browsing" AND "service 500"? Thanks. ... View more

We have a server in our DMZ that is allowing from the internet the SSH application via our Palo Alto firewall. The server in the DMZ is very well locked down and the application on the server that facilitates the SSH session is a highly rated 3rd party application that allows vendors to connect to servers in your network. I've read and heard how safe\unsafe SSH is, but I cant find anything that makes itr seem to me any less safe than ipsec vpn or https. Any thoughts? Also, I see that the applications for SSH the security rule include: SSH SSH-Tunnel Is there a preference?   Thanks. ... View more

Hello, We have URL filtering with the PAN-DB license. If a URL is determined to be malicious, (from other URL checking websites, but not from Palo Aloto's yet, since they only categorized it as high risk and unknown at the moment). What is the best way to make sure users will be blocked from it? We are blocking the categories of hacking, malware, phishing and C&C. Do I add it to my URL filtering block list on the Palo Alto firewall? I submitted the URL to the Palo Alto website to test it and I requested a change for it to be categorized as phishing, but I received an email back that I would be notified in 24 hrs. What is the best way to make sure users will not reach a site that is malicious but PA Networks hasnt classified it as that yet? Thanks, ... View more

Hello, I have user-id enable on the trust zone and it works fine. I also have a DMZ zone and was wondering if it was ok to enable it on that zone? I know best practice is to not enable it on the outside zone, but we have many dmz to trust security policies and I would like to see in the reports some of the user accounts that are sourcing in the DMZ. Some of those DMZ servers in the DMZ are also open to the public. Any thoughts? Thanks. ... View more