About HULK

Hello Enid, We are expecting to be released on or before next week. Thanks ... View more

Adding a diagram for better understanding. ... View more

Hello Stephan, As per my understanding, it is possible to create 2 different tunnels between 2 PAN firewall. The only thing is, we have to define 2 proper routes pointing towards correct tunnel interfaces OR If you add those different subnets under PROXY ID, It also creates separate phase 2 tunnels between them (with different SPI key). Thanks ... View more

FYI. Related discussion. Re: PAN as an explicit proxy? Thanks ... View more

Hello Nonno1, Point-1: We will add devices into Panorama based on their Serial number, and it does not matter from Panorama point of view, whether the devices are standalone or in HA. The panorama will always treat as an individual device. Please follow the mentioned KB article to understand information synchronized in HA pair Information Synchronized in an HA Pair NOTE: If you use untrust interface of the device as service route, the configuration will be pushed only to active device (assuming policies are configured correctly) because only 1 IP is active at a time for active/passive, even though you have the same IP on both devices.  Suggested configuration would be to use management interface itself. Since the management IP address is unique for both devices, you will not have any issues and will prevent extra bandwidth consumption on untrust interface. Point-2: If you want to merge the panorama pushed config with your PAN FW local config, you should use the option "merge with candidate config". But if you want to override your FW config with Panorama pushed config, then you have to check the option "Force template values". Hope this helps. Thanks ... View more

Hello Kylelee, Could you please give me some time, i will try to get in touch with product-management team and provide you a valid explanation. Thanks ... View more

New enhancements in 6.0 related to SYSLOG over TCP or SSL. You can verify the same from CLI: admin@PA-4020> show counter management-server Log action not taken            :          1 Logs dropped because not logging:          0 User information from AD read   :          2 Certificates information read   :          0 License information fetched from update server:          0 Log action syslogs sent         :        557 >>>>>>>>>>>>>>>>>>>>>> verify if the counter is incrementing Sighash refcount                :          1 Tunnelhash refcount             :          1 URLcat refcount                 :          1 ip2loc refcount                 :          1 Related CLI command to ensure that the PAN is generating traffic logs: > debug log-receiver statistics > show logging-status Thanks ... View more

Hello Westcon2, I am trying to fine tune above mentioned setting into my test PA box, I will notify you once it will be done. Thanks ... View more

Hello Westcon2, It's an interesting requirement.   I don't think QOS will help us for above requirement. Could you please try to create a custom vulnerability-profile with below mentioned parameter. Set the value as 500 Then create a security policy (at the top) for Application=Youtube-base, Profile=Custom-vulnerability profile and Action=Block. ... View more

Hello Kylelee, I don't think we can configure the exact same IP address on 2 different interfaces, even though they are part of 2 different VSYS. It will throw you below mentioned error: Error: duplicate address for interface ethernet1/xx and ethernet1/yy Error: interface configuration error (Module: device) Commit failed NOTE: 2 different VSYS will allow you to configure same subnet on 2 different physical interfaces. ... View more

Do you have a pcap file taken at client or server and try to find a matching signature. FYI Trigger Conditions for Brute Force Signatures Thanks ... View more

Hello Sir, If the firewall is failing the test, we would need to get some more information about how you are testing the device and what the firewall is doing that causes it to fail. Both of the vulnerabilities are somewhat old and not modern firewall should be affected by them. We could create a zone protection profile, that gives you control over the how the firewall responds to specific packet based attacks. The PAN-OS Administrator's Guide has some basic information about zone protection, https://live.paloaltonetworks.com/docs/DOC-6603 Here are two documents that explain how the Paloalto handles TCP connections, https://live.paloaltonetworks.com/docs/DOC-1731 https://live.paloaltonetworks.com/docs/DOC-1628 Although, the above mentioned problem looking like a BUG-44798- Weak sequence number generation vulnerability on MP (management-plane) CVE-2011-3188 and CVE-2002-1463. This problem has been fixed in PAN OS 6.0.0. Thanks ... View more

Hello Minow, If I understand it correctly, the security policy "VIP Users" is placed on the top of the policy table. Could you please verify the traffic logs (user name), which is not hitting the first rule " VIP Users": The Users on the security policy can be one of the below mentioned options: Any, Pre-login, unknown,known-users, select. known-user—Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the “domain users” group on a domain.  >>>>>>>>>>>>> Could you please check if you have mapping for that user on PAN firewall. CLI command to verify: > show user ip-user-mapping ip x.x.x.x ( IP address) Select—Includes selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users. Note: If you are using a RADIUS server and not the User-ID Agent, the list of users is not displayed, and you must enter user information manually. Thanks ... View more