About NGS_SOC

[Debug  374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed. It seems that domainY\userZ was not previously inserted, maybe not in that form. Via show user ip-user-mapping all are you sure to see domainY\userZ ? Maybe is like domainY.com\userZ and this is a different string causing me in the past some troubles. ... View more

From PAN-EDU-201 v.5 rev A MOD 4 APP-Id slide 26 PAN-OS implicitly allows parent applications for a set of commonly used applications Requiring that dependencies be allowed in order to enable an application can often allow more traffic than intended. For example, enabling access to web-browsing just to allow facebook-base allows users to browse other sites, requiring the administrator to configure other policies to regulate this access. PAN-OS addresses this concern by implicitly allowing dependencies for a set of commonly used applications to streamline the security policy process. Implicit permissions of a parent application are only handled if there is no match with an explicit rule. The complete list of implicitly allowed applications can be found in Appendix B of this manual. Appendix B Allowed Application • software-update apps • business-systems apps (e.g., erp-crm, storage-backup, sharepoint) • web-mail apps, IMs, social-networking Implicit >> web-browsing Apps identified in rpc decoder with a specific program ID (e.g., mount, nfs, portmapper, ibm-clearcase) Implicit >> rpc Apps identified in msrpc decoder with specific UUID (e.g., ms-exchange, active-directory, arcserve) Implicit >> msrpc msrpc Implicit >> ms-ds-smb ms-ds-smb Implicit >> netbios-ss Apps identified in rtsp decoder based on uri path in first request message (including custom apps) Implicit >> rtsp Apps identified in rtmp decoder based on uri path in the first request packet (e.g., bbc-iplayer) Implicit >> rtmp, rtmpt Media streaming apps (e.g., napster, megavideo) Implicit >> flash ms-rdp, msn-remote-desktop Implicit >> t.120 Apps identified based on SSL hello or certificate in the response. Ssh can remain in both uses-apps and implicit-uses-apps Implicit >> ssl yahoo-voice, gtalk-voice, msn-voice, msn-video, facetime Implicit >> stun several IM apps Implicit >> jabber gotomeeting, gotomypc, gotoassist Customer is not expected to understand internals about Citrix ICA/Jedi Implicit >> citrix/citrix-jedi Never allowed unknown udp/tcp, I hope this could hlep ... View more

In PANOS 4.x all application dependencies have to be explicit allowed in security rules, otherwise warning during may appear and related application could not work properly. Sometimes in large scale this requirement could be annoying or worse. Version 5.0.x changes this behavior allowing application dependencies if they are granular web-browsing, ssl, ftp and few more. Never unknown traffic, if needed, this have to be allowed with an explicit rule. ... View more

Bittorent doesn't depend on unknown tcp/udp, only web-browsing on tcp/udp dynamic ports. If you have 5.0.x this dependence is already done, otherwise a rule has to be inserted for allowing web-browsing before bittorent. Verify the app dynamic update (latest 373-1793) and in case of other error/warning  during commit also I suggest opening a support case. ... View more

I'm not sure having fully understood your goal, if I were you I'll remove the SSG and put PA-200 in its place. The little PA device is able to handle layer3 topology with multiple WAN connections using vrouters (2 available) and PBR. The simplest topology that can be suited you is WAN (untrusted) DMZ (servers) and LAN (trusted). In this choice traffic shaping & qos for servers/client are directly managed by PA-200 either with diffserv of qos polycy. ... View more

The diffserv Qos mark is done in Security Policy not in NAT rules. In the option field you case choose IP dscp or IP Precedence according to your Juniper configuration and all the traffic voice, ie sip application, can be marked to higher priority. Traffic shaping Qos is the second technology, useful to limit/guarantee certain amount of traffic, but in your topology maybe is better to handle this with Juniper. On the contrary, if your juniper can be moved to outside to inside, for example as vpn concentrator, you can use directly traffic shaping. ... View more

HI, below I attached an example of vbs script I used in order to obtain explicit login/logout from the network client, try to see if they work for you. Simply modify USER-ID agent address+ port. Once launched  the script is able to grab domain\user from the local machine ad set the PA login, or the logout. Dropbox - Login-Logout-API.zip I also use similar login\logout script integrated with 802.1X wifi enterpirse (Aerohive vendor), if the user is still preset there is surely something tha keeps alive the use connection. Also with an 5.0.x infrastrucutre you can talk to the PANOS directy using URL like this, without the USER-ID agent broker. https://<Firewall-IPaddress>/api/?type=user-id&key=<Key Value>&action=set&vsys=vsys1&cmd=<uid-message><version>1.0</version><type>update</type><payload><login><entry name="pan\sam1" ip="<Client-IPaddress>"/></login></payload></uid-message> ... View more

Script looks fine, I have an explicit logoff like this in place with 4.1.x and 5.0.x. The only difference I have is in ip & name order, in mine script is exchanged, <logout><entry name="domainY\user" ip="x.x.x.x"></entry></logout> If you still have user in "show user ip-user-mapping all" list this means that the user still present somewhere and the userid, please verify the user-id logs when loggin off you should have logs like these, where X.X.X. are private ips, New xml api connection X.X.X.X : 56522:2010737129. XML api thread 0 from X.X.X.X : 56522 is started. Event: type="XML API connection" name="X.X.X.X" status="Connected" Device thread 0 send server status X.X.X.X : 56522 Connected (XML API) XML api thread 0 accept finished XML api thread 0 SSL no certificate Reading 2 security logs takes 0 ms for DC domain.local. XML API IP 192.168.1.11(name DOMAIN\user) logoff. Event: type="XML API connection" name="X.X.X.X" status="Disconnected" XML api thread 0 exits. XML api connection X.X.X.X : 56522 closed. All XML api connection stopped! ... View more

Dynamic Block List is probably the solution you are looking for. Using an internal web server where your txt list can reside allow you to use the unwanted ip address as variable in Security Policy. ... View more

Apart from PA-500 specific problem, another operation could be tried in order to quickly  obtain reports. Exporting the postgress logdb from PA-500 and importing it to a VM-100 (even not licensed) should provide the results your are looking for. scp export logdb to userabc@1.2.4.3:c/a/b/c scp import logdb from userabc@1.2.4.3:c/a/b/c I wanted to try these operations some weeks ago in may labs and now I schedule for the next week. ... View more

You can start with two docs https://live.paloaltonetworks.com/docs/DOC-1098 https://live.paloaltonetworks.com/docs/DOC-2561 PA does only static eherchannel L2 (no LACP/PAgP support) and only for 4000 & 5000 series with PANOS 4.1.X. With PANOS 5  series 500, 2000 and 3000 do aggragate. ... View more