About kbrazil

Hi Kelly, Thank you for your reply. I think so, too. If it is correct, there is no way to get a debug of the PA via the cli on the Panorama. Regards, Tomoyuki Komure ... View more

All - it seems the best approach to solving this problem at this time is to create a rule for each protocol or application you do not want to display and disable logging and log forwarding. Not perfect, but it works.  ... View more

It would still be a good idea to open a ticket on this.  If the "attacker" is not compromised, then that means there might be a problem with the signature and it is matching on non-attack traffic.  On the other hand, there is the possibility that your mail server is compromised and you don't know it.  A call into support will help in both scenarios. Cheers, Kelly ... View more

I am aware of this, but I can assure you all this basic networking stuff is working fine on our side.  rgds Roland ... View more

Hi there, You might check out this tech note. https://live.paloaltonetworks.com/docs/DOC-1357 Cheers, Kelly ... View more

Hi Braden, You might consider disabling HTTPS and SSH admin access to your device through any of the external L3 interfaces, if possible and only use the out-of-band management interface.  Make sure the management interface is behind the firewall and is does not have a publicly routeable or NAT'ed address.  If it must be accessible externally, you might consider configuring a security policy that protects the management port with a Vulnerability Protection Profile to help block intrusion attempts.  In the 4.0 release you can also enable a "block-ip" action for vulnerability signatures of your choice. Also, look into configuring specific "permitted IP  addresses" on an Interface Management Profile and attaching it to your L3 interface, or configuring permitted IP's on your out-of-band management interface. Cheers, Kelly ... View more

Answered. ... View more

??  How about the other end switch, shouldn’t it be expecting BPDUS and put it in blocking state. Do you have any commands and documents layer 2 traffic and operations on PA and also HA link states If passing all bpdu without processing - Is it also applicable for BPDUs from un-trusted side? Thanks ... View more

I don't believe this is possible today since the RESTful API allows you to pull the configuration and reports but does not allow you to pull output from commands such as "show routing route".  You can file a feature request with your account team.  There will be more functionality going into the REST API in the future. Cheers, Kelly ... View more

If you have a very restrictive URL filtering policy, then you will run into these types of issues and you will have to manually create exceptions or be less restrictive. The URL Filtering feature simply uses the URI information to block or allow based on how you set your policy.  You might be able to accomplish your goal using a custom App-ID with an HTTP decoder.  This unlocks all of the HTTP headers and contexts so you can create a more granular signature.  This would not take URL category information to account, so you will need to weigh the pros and cons of each method. Cheers, Kelly ... View more

There are many ways to successfully design an L3 HA solution.  The most common is the 'switch-sandwich' where the firewall sits between two switches or two pairs of switches.  With a Layer2 device between the firewall and the router it should work nicely.  In the example I used in the earlier post you would be logically and physically combining the switch and router on the same hardware, basically emulating one side of the switch-sandwich. There are other designs that can utilize routing protocol, but these are a bit more complex.  You may want to work with your Palo Alto Networks or VAR SE to discuss the options. Cheers, Kelly ... View more

Firefox is the main problem. IE is not really am problem - I can use a GPO for the certs. Chrome uses the same certs as IE, s that works. But our friend Firefox does not seem to have an enterprise solution to management it (for certs or other configs - we had a similar issue when deploying proxy settings). ... View more