About minow

pay another attention on the "hirarchy" of an application and that during a session the PA may re-evaluate the recognized application based on the application configuration ... View more

and also non tcp/usd application will not match on a rule with specific services (only any / application defaults) so when building this Layer 4 policy on a rule with application defaults the PA will take all the ports in the application information ... View more

hey application and services in paloalto secyrity policy.. leaving for a second the application part Paloalto should be like all other layer 4 FW so first the policy will build a "layer 4" security policy based on source destenation and service and by this policy it will allow / block traffic. when you put in the applications part of the policy Paloalto should still build first a Layer 4 policy (that because application can only be recognized after certain amount of packets). so first Paloalto will see a ip packet and will look for an allow rule in the built "layer 4" policy if a match is found for allow the PA will allow traffic to pass until it be able to recognize the application. once the application is recognized the PA will check if the application is match on the rule, if it is not match it will look for other rulle that match both application and service port, if not found it will drop the traffic (this is why you may see traffic matched on not relevant rule) so here you get paloalto addition to the services cullomn which is the application defaults so you almost shouldn't care on what ports application are running, ACCEPT on allow rules: 1) the application usse ANY ports 2) your application does not use default ports if you put an allow rule with service any (or application defaults with application that use any service) remember that PA will first allow traffic based on the "Layer 4" policy so you will allow port scan to your resource untill the application is found. in a deny rule it is important to e the ANY in the service because you want to block the application no matter the port is running on ... View more

i have been told that since 6.0, if you copy the rule from the local device to panorama and they have the same name and you removed it from the candidate config.... commit should work fine and not alert for duplicates. been tried and test migration like this: Template: 1) show all relevant configuration in "set" mode, 2) put them on the right location of the template 3) commit with "force template values" 4) commit without "force template values" this is very important if you will have connection problem with panorama you could just overwrite configuration locally without disabling panorama's template Device group: 1) copy all objects from the local device to the "shared" on panorma 2) copy the ruleset from the local device to panorama by editing the relevant location in the XML file and then importing on panorma 3) deleting all the rules and objects that I copied 4) commiting from panorma finelaysing:: 1) use the "show" command in the configureation mode and see what configuration I had missed locally on the device 2) if found something so migrate if to panorama ... View more

on the second option i do not agree.. if we are talkin gabout the "template" config then yes but it depands on the force template values and whether this was already configured on the local device if we are talking about the device-group then for sure the pushed configuration is merged with the runing-config. for example: i copied all the rules, obejcts to panorma and then deleted all of them from the device candidate config. pushed policy to the device and the commit failed on duplicated objects ... View more

yes this one i know... you better commit on panorama after any changes at least for versions up to 6.0.3 me question was how the device itself handles the commit that comes from panorama... it is very unclear... if you will look at the configuration files on the devices there are a lot running config candidate config template config merge config    < which have lets say the final "running config" it is very confusing how the device will compile / merge / calculate the config that comes from panorama thanks ... View more

thanks ... View more

hey we are using the 2.0.1 version of GP client "allow user to save password" is unchecked and we are using on demand mode ... View more

It PBR policy routing ACK to a different zone. thanks ... View more

i will check and update by the way... protocol should be 6 for tcp, and add destination-port 80 for http thanks ... View more