About hshah

Hi Shasnain, Current PAN-OS 5.0.6 is in use, SSL Decryption may not encounter same issue which we are thinking about. Regards, Hardik Shah ... View more

Hi Hithead, There is one reported issue with SSL decryption in 5.0.7, that might be fixed in 5.0.8. At this point I can not get more troubleshooting to match exact symptoms because PAN-OS is already downgraded. As of now I will suggest to be on 5.0.6. Regards, Hardik Shah ... View more

Please verify if SIP app override is done on Port UDP/5060 if SIP is using UDP. Otherwise it should be on TCP/5060 ... View more

Traffic coming over port 443 while policy is configured for 25, please add port 443. ... View more

Hi WLitdepartment , 46.140.150.154 is the interface IP address, hence regular static Nat will not work, you will have to configure port address translation. Please share access rule and NAT statement with us. Regards, Hardik Shah ... View more

Hi Jdecker, I would suggest to do wireshark capture while trying with IE8, I will provide next feedback after getting capture. Regards, Hardik Dinendra Shah ... View more

Hi Jecker, May I know what PAN-OS version is being used? Regards, Hardik Dinendra Shah ... View more

Hi Agosney, I have a doubt phase-I or Phase-II may be down. If "show vpn flow tunnel-id" has encapsulated packets 0 means packets are not going out. Please attach complete output for "flow basics" and ""show vpn flow tunnel-id"" along with "show vpn ike-sa"/"show vpn ipsec-sa". Regards, Hardik Shah ... View more

Hi Agosney, Please execute bellow mentioned command, if number of encapsulating bytes are increasing then firewall is sending packets out. admin@DanPA1(active)> show vpn flow tunnel-id 5 | match bytes   encap bytes: 55006856   decap bytes: 45722708 You can find tunnel-ID from command "show vpn ipsec-sa" or "show vpn isa-sa", let me know if have difficulty with this. Other option is to check Traffic log, if Egress interface is Tunnel interface then Firewall is certainly sending packets out. Other option is to do flow basics on that particular traffic stream, it will show packet level debug. Which will provide if firewall is dropping any packets. Packet Capture, Debug Flow-basic and Counter Commands Regards, Hardik Dinendra Shah ... View more

Hi Art... There is no way to block file based on Name ... It can be blocked by type. ... View more

Hi Gerald, Please refer following document page7, it confirms Martian packets are not supported. Packet Flow in PAN-OS Following page confirms 169.254.0.1/32 belongs to martian IP. Martian packet - Wikipedia, the free encyclopedia Let me know if you have more questions on this. ... View more

Hi, Please contactact Palo Alto Networks Sales Engineer, they have details on migration related issues and Tools as well. They can provide most recent and accurate information. ... View more

Hi Panos, How much is the delay difference? Regards, Hardik Dinendra Shah ... View more

Hi Gururaj, Its very interesting question, Vwire is just a bump in cable, it pass through all Spanning-tree packets. Topology without Vwire SW1------------------------SW2 |                                         | |                                         | SW3------------------------SW4 Topology with Vwire SW1-------------Vwire1(PAN)Vwire1-------SW2 |                                                                   | |                                                                   | SW1-------------Vwire2(PAN)Vwire2-------SW2 Vwire pass through all STP packets from one interface to other, its just a bump in cable. Basically it doesnt change STP Functionality. if one interface goes down in Vwire then other goes down immediately, So there is no chance of Spanning Tree loop. Regards, Hardik Shah ... View more

Hello Cryptochrome, Its very intelligent question. Topology: Server-------PAN------Internet----Client Digital certificate exported from Server is Imported on PAN, which means PAN and server have same certificate. Client generate connection with Server, now PAN can intercept each and every packet. PAN has digital certificate of Servers, so it can read everything which server can. Let me know if you need more information on this. ... View more