About kbrazil

The User-ID is being tied to the internal assigned IP address, so I'm not sure that the external IP address is the issue.  I suspect it may be a timing issue or conflict with the User-ID agent or Captive Portal logic. Cheers, Kelly ... View more

Hi there, Log forwarding profiles can be enabled per policy, so you can create a Security Policy rule that allows "remote-access" applications with an application filter.  Then attach a log forwarding profile that emails for every session.  Since the emails will only apply to applications that match that rule, you effectively get an email every time a user completes a remote-access session. You can also turn on session logging at start for that rule so you get the email as soon as the session is identified as a remote-access application. Cheers, Kelly ... View more

Security rules are post-nat, but NAT is not actually implemented until packet egress.  This means that for the inbound, destination-nat packets the external IP's should be used in the policy.  For the outbound initiated traffic the internal IP's should be used in the security policy. The NAT rules are only for the direction the traffic is initiated.  Traffic initiated from the Internet will be destination-natted and the return traffic in the same session will correctly use the same natted IP as the source IP.   Traffic initiated from the internal network will not hit the first two VNAT rules so you will need an outbound NAT rule.  You can have a single source-nat rule that encompasses both internal IP's for your purposes. How exactly is it not working?  Are packets not hitting the Security Policy?  Do you see them in the logs but with the incorrect NAT IP's in the details? Cheers, Kelly ... View more

I would file a Support case as this does not seem to be expected behavior. Cheers, Kelly ... View more

Yes, the SSL VPN login will populate the traffic, threat, url, etc. logs with User-ID information. Cheers, Kelly ... View more

Spoof attacks are logged, but the MAC address is not included in the logs. Cheers, Kelly ... View more

Hi Kevin, You can modify the risk level of the DNS app without worry.  It will not affect DNS attack detection/protection.  It is only used in reporting and in the ACC. Cheers, Kelly ... View more

Hi there, Glad you figured it out.  Another way to do this in PAN-OS 3.1 and later is to create an outbound source-nat for the server/service and configure the source-nat as 'bidirectional'.  This will create the secondary inbound destination-nat in the background.  It will essentially be a hidden rule that looks like this: source-zone:  any dst-zone: source-zone of the outbound bidirectional nat rule destination-nat: source-nat ip of the outbound bidirectional nat rule This guarantees the same IP for inbound and outbound initiated traffic. Cheers, Kelly ... View more

Hi there, You can search applications by port in the Applipedia:  http://ww2.paloaltonetworks.com/applipedia/ I didn't find anything using port 2051. Even if you did find a matching port, it may not be the same application since App-ID's don't use port numbers for the signatures. If you allow the port through via security policy the firewall will still do App-ID so you can check the identified application in the logs.  If it comes up as "unknown-udp" then you will need to open a case to have the application added to in a future content release.  A PCAP may be requested to get the signature written. Cheers, Kelly ... View more

Hello, This capability will be available in the next major release. Cheers, Kelly ... View more

Hi there, It looks like the next major release will have this capability. Cheers, Kelly ... View more

Hi there, The next major release will include tagging functionality for policies that will give you similar organizational capablities. Cheers, Kelly ... View more