About HULK

Hi David, Could you please share >show system info ---- o/p from that firewall. ( To understand the HW model, PAN-OS version, App and threat database). I will do a LAB test and let you know the exact behavior. Thanks ... View more

Hello, PBF lookup happens in pre-NAT IP address. Also in PAN firewall NAT evaluate at first with original IP but Apply at the end of flow. Packet flow on PAN firewall:- Few more information regarding the same. Fowarding Testing Security, NAT and PBF Rules via the CLI Inbound NAT Policy with Outbound PBF Causing IP-Spoofing Drops NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP Packet Flow in PAN-OS Hope this helps. Thanks ... View more

Hello, The MediaFire is a browser-based file sharing method, we can treat as a P2P as well. 1. Could you please check if you have configured to stop any P2P download. Thanks ... View more

Hello Cheon, This output means, 1. This firewall can support max 200 active concurrent session. 2. There are no active session at this point of time. 3. There is no session table overflow ( the system is out of sessions and is dropping them due to the session table being full ) You can apply below mentioned command to verify  System Limits. >show system state filter cfg.general.max* How to Display System Limits Thanks ... View more

Hello, Appweb3 is the process to take care web-GUI functionality of PAN firewall. Please find below details to get an idea for each parameter. %us - user: users’ processes that are not niced. User initiated programs can include running queries and reports, etc. %sy - system: running the kernel and its processes. %ni – nice: nice level programs which control priorities in the kernel's scheduler. %id - percent idle. For instance, above shows the CPU 98.9% idle. %wa - percent of time CPU has been waiting for I/O to complete.  (Too high may be indicative of heavy swap usage particularly on 500/2000/4000 platforms. This can cause other MP issues such as dynamic routing protocols flapping due to inability to process keepalives/hellos, HA split-brain due to missed HBs, and even process and dataplane restarts due to missed HBs to masterd. Should also check logging rates ). %hi - hardware IRQ: servicing hardware interrupts. %si - software Interrupts: software interrupts. %st – steal: involuntary wait by virtual cpu while hypervisor is servicing another Hope this helps. Thanks ... View more

Is Twinax wire is like Twisted pair cable. Thanks ... View more

Hi James, Please let me know what type of NAT you have configured for DNS traffic. Can you try once with static NAT for the same and let me know the result. Note- make sure app-override is not configured for DNS traffic. Thanks ... View more

Hi Gururaj, As per my knowledgeTACACS is not supported for authentication by PANFW as of now.  You can not use tricks, such as changing the port number to 49 instead of 1812 on RADIUS, because message format is different for both RADIUS and TACACS. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications. Thanks ... View more

Hi Rowan, Could you please share pcap or screen shot of traffic logs for imessage app. Thanks ... View more

Hi Gururaj, Safety Mode, an opt-in setting that helps screen out potentially objectionable content that you may prefer not to see or don't want others in your family to stumble across while enjoying YouTube. Depends on Applications: web-browsing, youtube-base That is why, If you allow only "youtube-safety-mode" and blocking "youtube-base", it will give you an application dependency warning. So, it is recommended to add "YouTube-safety-mode" along with youtube-base. As per my understanding, we cannot block content inside YouTube. We will identify the application as per the application signature, not the content ( data i.e porn video)  inside the application. Thanks ... View more

Just keep in mind as PBF decision would be taken by PBF "RULE" configured on the PA firewall, not by routing. So PBF rule can replace the routing as  it is not session based. Please make sure incoming/outgoing traffic passing through the same  link. It will help you to avoid asymmetric-routing. For reference :- Policy Based Forwarding Thanks ... View more

Hello Sir, Try to add *.microsoft.com *.microsoft.* *.microsoft.*/ *.microsoft.*/* Please go through below mentioned discussion and documents, hope it will help you. . Controlling SSL Decryption Thanks ... View more