About HULK

Hello Bob, I agree. Generally speaking, it's not recommended to log above mention traffic. Thanks ... View more

Hello Tician, Please find below the link regarding migration tool. Firewall Migrations To access migration tool community, you need permission. To get permission for migration tool community, you need to ask your local SE. You can download the tool in this community. Related links: https://paloaltonetworks.com/resources/webcasts/migrating-from-cisco-asa-to-palo-alto-networks.html Migrating Cisco ASA Firewalls.pdf Firewall Configuration Migration Tool.pdf Thanks ... View more

Just FYI. List of Applications Excluded from SSL Decryption Thanks ... View more

Hello, 1) As Panos said, clear the cookies of the browser and install the certificate into the browser's certificate ring. Reference docs: SSL Decryption Certificates >>> how to Load CA Certificates into Common Browsers 2) Go to Firefox tab and open a "New private window" and try to open the same page. Private window should get rid of all browser cookies. Hope this helps. Thanks ... View more

Hello Idias, a) You can monitor the real time situation through a monitoring tools. Which would show the packet rate, session rate, drop counter of an interface. b) You can run a script which will pull up information through CLI command on a specific interval: (you can run these commands manually also) > show counter global filter delta yes | match dos > show counter global filter delta yes | match drop Thanks ... View more

Hello SBSengineer, Please find below KB doc, hope this will help you to understand the situation while PAN firewall shows Incomplete, Insufficient data and Not-applicable in the application field. Incomplete, Insufficient data and Not-applicable in the application field Thanks ... View more

Hello Infotech, You can verify the functionality( detail information) of each App-ID in Application Research Center. Example: Hope this helps. Thanks ... View more

Hello Infotech, Palo Alto networks App-ID signature is having below mentioned signature for linkedin. Hence you can choose the required sub-category in your "Application" filed and set the required action for it ( In a security policy). NOTE: As per your query, you can set application as "linkedin-base" just to view the profile. Hope this helps. Thanks ... View more

Hello Sir, So far, PAN is not having a signature for "gaggle App". Hence, i would recommend you to follow the instruction as per below mentioned KB docs or contact with your Palo Alto SE for the same. How to Request a new App-ID http://researchcenter.paloaltonetworks.com/submit-an-application/ Hope this helps. Thanks ... View more

Hello Peterpan, 1) I am talking about route filter implementation on PAN firewall itself. PAN is having capability to filter routes ( advartize by BGP peers) and accordingly install into it's rib/routing-table ( routing information base). These docs might help you to implement BGP: How to Configure BGP Route Filtering BGP Traffic Engineering How to Perform Route Filtering with BGP 2) How many VPN tunnels you are planning to terminate into the PAN firewall..? Thanks ... View more

Hello Peterpan, - whether running BGP will have a significant impact on performance? Ans: It depends upon how many routes you are having into your  PAN routing table.  Generally speaking, if you configure BGP on a PAN firewall and having route-filter to import and export limited routes from PAN firewall, in that situation it would not take large CPU cycles from the PAN management plane. --As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work?  Ans: Yes, it will work perfectly. As, creating an another virtual-router means, the PAN firewall will create an another routing table ( segregation of routing table) --Do you have any best practice and recommendations for this VPN connectivity? Ans: VPN traffic will be encrypted by ESP/AH header. Hence an extra layer will be added on the top of the packet. Hence adjust the TCP MSS or reduce it to 1420 will be a good practice. Secondly, using a higher length encryption key ( AES-256, 3 DES ) might bring latency during traffic flow, because it will take more CPU cycles to encrypt/decrypt traffic on PAN firewall. I would recommend you to use AES-128 on both VPN gateways. Hope this helps. Thanks ... View more

Wildfire logs will be available under Monitor > Logs > wildfire only. ( not under threat logs). Thanks ... View more

Hello Lachen, There is no license required for site-to-site VPN ( gateway to gateway), only the of max tunnel number you can configure depending upon hardware platform ( Example PA 4000- You can configure max 2048 Ipsec tunnel). For remote client ( Palo Alto Networks Global protect SSL VPN), please find below mentiond document. GlobalProtect   >>>>>>>> Page no 3 for license requirement. Hope this helps. Thanks ... View more

Hello Marcin, I would recommend you to set the pattern matching on software (> debug dataplane fpga set sw_aho yes), instead of PAN OS upgrade. Thanks ... View more