About Remo

If you only need the certs for internal purposes you don't have to buy a public wildcard cert. This can be done with an internal PKI (Public Key Infrastructure). And if you have / want an internal PKI you could also create the certs on your PaloAlto firewall. Fist you need to generate a Root CA Cert where you enable the CA checkbox, after that I would recomment to generate an intermediate CA cert where you also enable the CA checkbox and choose the option that this intermediate CA cert will be signed by the previously generated root CA cert. After that you are ready to generate your wildcard cert which should be signed by your intermediate CA cert.  Your generated root cert you have to export (only the public key) and import this one to your client(s) to avoid cert warnings in the browser (and to make it even more secure, export the root CA cert (this time with the private key) and store it on an usb flash drive or another computer which is offline (not attackable over the network). Be careful that you do not loose this root CA key).   Hope this helps.   Regards, Remo ... View more

Hi @R_Sharma   IPSec SAs are synced but not the IKE SAs. So normally everything works fine during failover with - as @OtakarKlier mentionned - with a few pings lost (in most cases I had only one or two pings lost).  But because of the not synced IKE SAs you need to be careful. In the past I hat connections that were no longer established when IPSec timout was reached and IKE SA wasn't renewed so far. (Probably depends on the IKE/IPSec implelementation on the other side). Since then after a failover I manually (/with a script) renew all IKE SAs and the problem is solved.   Regards, Remo ... View more

Hi @MP18   Did the restart occur at the time when the panorama appliance generates the scheduled reports or when you (or another admin) run another custom report? In any case this sounds like you should generate the tech support file and open a support case. ... View more

Hi @Transporter   How often do your firewalls check for and install wf updates and do they do this all at the same time? After this failed update is the update still failing or is it now working again? ... View more

To prevent additional information leakage of the IP address, you should enable this option (Device>Setup>Content-ID>X-Forwarder-for Headers): ... View more

Hi @Mr.Robot   Ok, now I get it. The only solution in this case is the API and it heavily depends on how important this is to you and your skills on programming/scripting (or the skills of the people who will implement this), because this task (I assume) will be time consuming.   At this point I need to say I haven't done this, but the following lines describe the way I would do it/try it.   Requirements: User-ID TLS decryption a computer/server that has access to the firewall management interface 2 Firewallrules: one that blocks youtube for a specific usergroup and one that allows youtube with a schedule applied with the timeframe where youtube should be allowed   The solution: You need to write a program that runs on the server. This program needs to constantly check the sessiontable for youtube sessions. If there are sessions you need to track these sessions to check when they reach 2 hours and if they do you need to close that session and add the user to the youtube-deny-usergroup, so that if this user tries again to access youtube he/she will not be able to. In addition to this you also need to check the logs for sessions that do not last 2 hours. The times of these sessions you need to sum together and as soon as this time reaches 2 hours you have to add the user to the deny-youtube-group. Once a day you can then remove the users from that deny group. With all this you need to check on what specific app you need to use for the session tracking because accessing youtube opens quite a few sessions in parallel - this is to make sure that the two hours aren't reached when a user is only about 10 min on youtube.   In all this you need to also do a lot of testing, but I think there is a solution for your requirement. ... View more

Hi @Mr.Robot   Yes, you can solve this via API with complex rulechanges, dynamic addressgroups and enabling/disabling rules ...   But for your initial question there is a much simpler solution: use a schedule object in your youtube policy to allow access at specific times per day.   Regards, Remo ... View more