About HULK

Hello Bango, You can subscribe "Content update emails" and "security advisories". But, There is currently no notification email for maintenance releases of the PAN-OS. Thanks ... View more

Hello RIF, This is triggered when an argument to a MAIL command to an SMTP server is overly long (304 bytes). This triggers a buffer overflow leading to a DOS and/or possible remote code execution.  Could you please let me know which Application and threat version is currently installed on your PAN firewall...? Thanks ... View more

Related discussion on the same topic: Path-Monitoring Virtual Wire Re: HA path monitoring in virtual wire virt Hope this helps. Thanks ... View more

Hello Grubbsy, You will get the block page for the first time, just to ensure, end-users can take the proper action to continue. The original rationale behind this design to enforce safe search is to block the non-strict safe search request, show up a block page and redirect user to the search setting page to set the strict safe search. Because this feature is a part of URL filtering, on the URL filtering profile page. There will be a block page for this feature. When non-safe search is identified, it will display a block page to user, telling them that their search is not safe and they should go to the corresponding setting page to enable safe search. Thanks ... View more

If the Safety option is not enabled, then the firewall will provide the users with a block page (as shown in the example below). The page will display the reason for the block, with steps on how to enable Safety so the search can be enabled. Hope this helps. Thanks ... View more

> Blocks Google, Bing, or Yahoo search results unless the strictest safe search option is set > If strict search option is not enabled, a block page is presented with instructions and links to enable safe search So, This is expected behavior. This will redirect the end user to set filtering. Thanks ... View more

Hello Grubbsy, Please find below an example for Global Protect custom response page: Step-1: Import the modified response page by navigating to Device > Response Pages > Global Protect Portal Login Page. Step-2: Go to Network > GlobalProtect > Portals. Choose the Custom Login Page or import the modified page directly from here. Hope this helps. Thanks ... View more

Hello Javith, Could you please verify the traffic logs ( GUI > Monitor > Logs > Traffic) and see some more formation. GUI --> Traffic log, you may use filters like ( addr.src in IP_ADD_OF_THE_TESTING_PC ) and ( addr.dst in IP_ADD_OF_THE_DESTINATION ) to check the security policy that the traffic hitting. Also, you can check the real time session in the CLI by using 'PAN>show session all filter source IP_ADD_OF_THE_TESTING_PC " Otherwise, we may ned to enable FLOW BASIC feature to understand the exact reason behind the drop: > debug dataplane packet-diag clear all > debug dataplane packet-diag set filter match source  IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION > debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination  IP_ADD_OF_THE_TESTING_PC > debug dataplane packet-diag set log feature flow basic > debug dataplane packet-diag set log feature tcp all > debug dataplane packet-diag set filter on > debug dataplane packet-diag set log on ~~~~~~~~~~~~~~~~ Initiate traffic through the PAN firewall/try to browse a website ~~~~~~~~~~~~~~~~~~~~~~~~~ > debug dataplane packet-diag set log off > debug dataplane packet-diag aggregate-logs > less mp-log pan_packetdiag_log.log For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands Thanks ... View more

Hello Minow, As per my understanding, it will cache the password while in sleep mode, but if you reboot/restart the laptop, it should ask the password. I am also expecting few more replies on this topic. Thanks ... View more

Add to it, SFTP is not like FTP over SSH, rather a new protocol designed from the ground. Hence the PAN will identify it as SSH traffic, but if you decrypt the same traffic, it will be identified as an SSH-tunnel. There is a feature request already submitted to develop a new app for SFTP (rather SSH or SSH-tunnel). Thanks ... View more

Hello Kaussh, Are you getting any error on the console logs during boot-up( Example: DDR ECC errors/ ata error). I think, it will require to be RMAed to resolve. Please try to power cycle the device to see if it will complete the boot-up process. Otherwise, I would request you to contact with support for the same. Thanks ... View more

Hello SSM, Below mentioned docs might help you. Setup How to Configure Symmetric Return Policy Based Forwarding As per PBF, you can load share traffic based on address/application. Thanks ... View more

Hello Andy, Let me clarify for you. If you enable Application  FASP in your security policy, then it will explicitly allow the underlying dependent application SSH.  But, that does not mean, the source IP's (users) will be able to access SSH application  ( i.e putty, remoteNG etc) . Only if the traffic is coming in conjunction with the parent application FASP, then only the firewall will allow the traffic through it. NOTE: With PAN-OS 5.0.0 software and above, we can now allow an application in security policy without the need to explicitly allow the underlying protocol dependency (for most protocols) . This is supported only if the application can be identified within a pre-determined point in the session. Applications that qualify for this PAN-OS feature will have this support enabled in the Content version starting onwards 323. I did a test on my LAB: Security RULE-1 Source IP- 1.1.1.1 destination IP-2.2.2.2 Application FASP Action -Allow Security RULE-2 Source IP- 1.1.1.1 destination IP-2.2.2.2 Application ANY Action -Deny While trying to access IP 2.2.2.2 through SSH ( putty) from IP 1.1.1.1, it's falling under RULE-2 and traffic is getting denied by the PAN firewall. Hope this helps. Thanks ... View more

Hello Apetrov, PAN OS 6.0.2- This release is doing very well and this is the most widely used 6.0 release for PANOS. PAN OS 5.0.12- This is a stable release. Thanks ... View more