About Remo

Hi @RogerMccarrick   My assumption why these commands are different is the following: The devicegroupcommit is there already quite a while, then sometime the stack feature was added and with that a slightly new syntax (because they think it is easier this way?...). But to not break the existing implementations, the devicegroupcommit wasn't changed.   Partial commits are not possible so far with the API.   Regards, Remo ... View more

@JoeAndreini wrote: be aware the buffer is relatively small, take 10-15 lines at a time ... or if you're using a SSH client that has this feature, set a delay of 150ms between the commands     ... View more

@hshawn You probably need to ask this question about android 9 to your SE, because so far only up to Android 8.x is supported.    ... View more

URL filtering works even without TLS decryption. But without additional steps you will not be able to inject a response page. Did you check the URL log when you open this BBC player website? There you should (depending on how the website is built) be able to identify the website that you need to block (with a custom URL category). ... View more

@SThatipelly If you really want to restrict the access to this sharepoint website, then you probably don't have an alternative other than manually build the filterlist that you allow. Maybe it is possible to use wildcards or do something with regex (with a custom App-ID).   If there is now way because the urls are in no way configurable when there are too much, then an alternative would be a blacklist category where you configure alle the urls that the users should not be able to reach on that sharepoint website.  ... View more

@jambulo wrote: Are the subnets equal to each other? Not sure what you mean. I meant if these subnets are all the same and the only reason you have more than one is mabe because one /24 isn't big enough, so you created a second. But as you wrote you want to group the servers based on their functions.   Depending on the number of subnets and the hardware you are using, I would create one zone per vlan/subnet. As you group the servers by their functions this would fit perfectly into the zonenames so you have a better overview in the ruleset.   If you have more than 40 subnets and you are using a PA-3020, then you have to go the way with one zone where you drop intrazone traffic, but in case you have a PA-5220 or even bigger then the number of zones will probably not be a limit in any way.       ... View more

Hi @FabioGarcia   Did you recently update your User-ID Agent to version 8.1.0? If you answer this question with "yes", then update the version to the latest maintenance release and the problem should be gone. ... View more

Hi @scottoliver   As @santonic already wrote there is probably something wrong in you är config (even if you promise that it isn't your fault 😛   ). Application incomplete could also have (many) other reasons that the firewall not working properly. Could you share screenshots of the security policy and of a working and nit working connection in your log? Additionally may I ask what PAN-OS version and app version do you have installed? ... View more

External urls where users have to chlick on a link to get there or redirects initiated by the sharepoint website? ... View more

Hi @jambulo   There is no simple answer for your question. It depends ... Are the subnets equal to each other? Will you generally allow traffic between the subnets? Are the subnets contain different group of servers? (One subnet for linux and one for windows for example) Do you plan to configure generic zone firewallrules or do you configure specific rules for each server? ... View more

@ADK999 @jsalmans @BPry Today I did some tests with TLS decryption and TLS1.3. Conclusion: Paloalto is able to "downgrade" a possible TLS1.3 connection to TLS1.2 and is also able to block connections to TLS1.3 only websites.   This works for example for the website "www.cloudflare.com". This website offers TLS1.3 but also TLS1.2. Because of the fact, that the client does not know if the server offers TLS1.3 it sends some information that it supports TLS1.3 in the "supported_version" TLS extension towards the server. This extension will be stripped by the firewall (or not offered at all respectively) in the TLS client hello that the firewall sends to the webserver.   As @ADK999 wrote, yes the TLS1.3 handshake "looks like" a TLS1.2 handshake - but not completely. So there are two details, where it is possible for the firewall to block TLS1.3 connections: TLS version sent by the server in the TLS server hello Cipher suites offered by a TLS1.3 only server This is how the TLS Client Hello looks like from a Firefox 61 which I manually forced to TLS 1.3 only: Green circle = TLS Handshake make TLS1.2 compatible Red circles = Things on which paloalto is able to block the connection   So with a decryption profile that blocks unsupported versions and/or unsupported cipher suites you are able to block the access to TLS1.3 only webservers. With PAN-OS 8.1.3 you actually don't even need a decryption profile attached because the decryption fails completely without the firewall adding the website to the exclude cache.   So for now there is no need to block TLS1.3 on the client because the firewall is able to force a connection with TLS1.2. As I mentionned it is also possible to block connections to TLS1.3 only servers and this makes it possible to decide website by website which you will allow and manually add to an exclusion list and which ones will no longer be available for your users.   With these prerequisites it is possible to maintain the current visibility offered by paloalto firewalls - mainly because I don't excpect many websites moving to TLS1.3 only. Till then paloalto (and all other firewall/TLS proxy vendors) need to come up with a solution and this solution so far seems to be going back from a transparent to an explicit proxy. ... View more