About HULK

Opps: Modified pic: Thanks ... View more

Hello mackwage, Are you talking about site to site IPSec VPN tunnel...? The PAN firewall will bring the IPSec VPN tunnel upon interesting traffic by default. Thanks ... View more

Here is a snippet from the admin guide for using apps with PBF: "The initial session on a given destination IP address and port that is associated with an application will not match an application-specific rule and will be forwarded according to subsequentPBF rules (that do not specify an application) or the virtual router’s forwarding table. Allsubsequent sessions on that destination IP address and port for the same application willmatch an application-specific rule. To ensure forwarding through PBF rules, application specific rules are not recommended." which means the PBF rule will not match 100% of the time. PBF routing is determined by the first packet and most of the apps we have are not identified with the first packet which implies this will take the normal routing route. After the app is identified, the subsequent sessions of the same app with same src and destn will match the PBF rule. Again, it is not recommended to use apps with PBF. Thanks ... View more

Hello Kk555, Not all Apps can be used for PBF, because the routing decision is made at sessions start, you can only use Apps that can be discovered at session start. For your example: google-docs-base has a dependency of web-browsing & SSL. At session start the PAN will discover web-browsing or SSL and make a routing decision Once this decision is made the PAN will keep it for this Session. This is why you can't select all Apps for PBF. Please find below similar discussion thread: Re: PBF rule - applications Using Applications in PBF PBF based on Apps Re: APP limitation using PBF Re: Policy Based Forwarding for Application "Ping" Hope this helps. Thanks ... View more

Hello Chris, For ethernet interface, the Max MTU size is 1500 bytes. The ESP protocol header will be placed in the top of the IP header. IP header would be 20 Bytes, hence the original data+ EST header size can be max (1500-20)=1480 Bytes. ESP header can be 52 bytes, including below mentioned option field: --------------------------------- ESP header -------------------------------- Security Parameters Index =(32 bits) Arbitrary value used (together with the destination IP address) to identify the security association of the receiving party. Sequence Number (32 bits) =A monotonically increasing sequence number (incremented by 1 for every packet sent) to protect against replay attacks. There is a separate counter kept for every security association. Padding (0-255 octets)= Padding for encryption, to extend the payload data to a size that fits the encryption's cipher block size, and to align the next field. Payload data (variable) =The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the Next Header field.=Size of the padding (in octets). Next Header (8 bits) =Type of the next header. The value is taken from the list of IP protocol numbers. Integrity Check Value (multiple of 32 bits) =Variable length check value. It may contain padding to align the field to an 8-octet boundary for IPv6, or a 4-octet boundary for IPv4. Payload data (variable, max 6 byte) =The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the Next Header field. So, the actual data can pass through the tunnel without fragmentation will be (1480-52)=1428 Bytes. The tunnel  MTU would not depend  on encryption parameter. Because, encryption parameter will be identified by SPI (Security parameter index-to identify the security association SA ) Path MTU is not being calculated, and any packet more than 1500 Bytes on an ethernet interface will be fragmented Thanks ... View more

It's dedicated interface for HA, you will not be able to see it under Network > interfaces. You have to configure it under Device > High-availability >set-up. Thanks ... View more

It is recommended to connect back to back between 2 firewalls. Thanks ... View more

Hello markk96, Please find below mentioned DOC, this might help you to understand/configure high-availability. How to Configure High Availability on PAN-OS How to Configure Basic Layer 3 HA for PAN Devices - External Cluster How to Create an HA Backup Link PAN-OS Administrator's Guide 6.0 (English) Thanks ... View more

Since your primary requirement is to reduce the bandwidth utilization, i would suggest you to schedule it once in a week (preferably on Sunday/ non-business hours) Thanks ... View more

Hello rmilman, Could you please let us know if you have configured any schedule for Wildfire and antivirus. Because, these 2 feature are having the option to get updates every 1 Hr. First, if you have configured a file blocking profile with action "forward" ( send to wildfire), the suspicious file will be sent to the cloud for analysis, it will take enough bandwidth on your PAN firewall. Secondly, if you are using URL filtering profiles on a security policy and the destination URL's are not available on the Local-DB, the PAN firewall will send the query every time to the Cloud-DB. Hope this will helps. Thnaks ... View more

Adding to it: Subject: Multiple Countries in a Single Object Priority: Medium FR ID: 1284 You can request your local SE so he can also add you to this list. Thanks ... View more

Hello Bbilut, There is a similar feature request has been already submitted: For your reference: Highlight Unused Objects FR ID: 3159 The best avenue for information on this type of issue will be your PA sales team.  They can get you the roadmap for the feature and add you to any pending feature request. Hope this helps. Thanks ... View more

Hello Bbilut, The following documents can be helpful: Unused Addresses or Address groups How to identify unused objects? How to Identify Unused Policies on a Palo Alto Networks Device Add: we can identify any unused policy on this PAN firewall, but I don't think there is any straightforward way to segregate unused objects i.e (address, address group, app group etc). If there are features we currently don't have but you would like to see added, the Palo Alto SE can create a feature request for you. Hope this helps. Thanks ... View more

A similar discussion for your reference: Re: Anyone Blocked a specific file from being downloaded? Thanks ... View more