About Remo

@JeffFredericks The way described by @RobinClayton isn't a hack. This is how it should be as the firewall also does not know the DNS names of the sources (except if you create address objects for ALL your internal systems). This information you should get where it is managed -> from your DNS server.   @JeffFredericks wrote: Selecting, say, the url field for syslog won't capture internal DNS requests as they're hitting the Palo? No, paloalto does not log the content of DNS requests. If you need this data, then the best place to get that is agsin your DNS server which you need to configure to send the DNS logs to your splunk server. ... View more

@SThatipelly This I don't know exactly, but I assume it is something like you wrote (that the signatures time out) and probably also that paloalto makes the most dangerous domains available as DNS signature. As I wrote there is no cloud lookup for these so the capacity is limited. Specially when users can also configure their own domain EDL, the firewall will get to a point where the performance is affected when the firewall has to check hundreds of thousands entries for every DNS request. The cloud obviously scales a lot better with the URL database than a local one. ... View more

@SThatipelly Is this particular domain listed as DNS signature or "only" as malware URL category? If its the latter one, then this is actually "expected behaviour" because only a small percentage of malware domains are available as DNS signature. This is simply because the DNS signatures are far more static than the URL categories where the firewall is able to do a cloud lookup of an URL. Technically this would also be possible for DNS entries, but so far this isn't implemented this way. ... View more

Hi @NizarNadir   In this case you simply get the App-ID updates only. Under Device -> Dynamic Updates you can configure the schedule in what frequency the firewall should check for updates and install them. ... View more

@wajatmaka I would recommend: DO NOT wait until it happens again. Download the techsupportfile, open a case and upload the file so that it can be analyzed. Maybe there isn't an obvious reason - bad luck. But if there is something you gain 2 weeks, because if this is a bug you will have to wait anyway a few weeks/months until the fix is implemented. ... View more

@JeffFredericks Do you want to have DNS logs in your Splunk server or do you want the DNS names for the IPs in the logs? For the names you can export the DNS Names and create a lookup table on your splunk server. ... View more

Incomplete could also mean that the tcp handshake did finish and then the server resets the connection right after that handshake . ... View more

@BigPalo A little strange actually is that the firewalls already sees the application soap which implies that the decryption already happened. In addition the sessions are too big already in my opinion. If a decryption error happens the sessions normally are smaller. In addition to what @BPry wrote I would also do a packet capture and check if there is already data or if you see TLS handshake errors. ... View more

Hi @RobinClayton   This rule that allows http and https to Sophos update urls actually allows traffic to any destination, but only until the point where the firewall would see the URL in a http-get or TLS Client Hello packet and if the firewall sees an URL does not match your custom URL category it reevaluates the policy and takes the action according the best match firewallrule. The two connections in your screenshot were sessions where there wasn't enough data for the firewall to identify anything, but as mentionned this rule will allow some bytes to be sent out anywhere. You could try to further restrict source and destination IPs to make sure that even this few bytes can only be sent out from systems thst really need these updates. ... View more

Hi @Farzana   What speed issues do you have exactly? Could you explain a little more? Are these issues constantly, randomly, mostly at specific times or only on weekdays or als on the weekend?   What I see in your screenshots is that you don't really have a bandwidth limitation for incoming traffic configured. So theoretically 1 user (connected with Gbit) could utilize the full bandwidth on both ISP links with 2 big downloads.   QoS on Paloalto firewalls is only applied on egress interface. So even a user connects to Microsoft for downloading updates (your QoS policy 3), the big data transfer is incoming and not outgoing, the most of the traffic will be handled by the QoS interface config for ethernet1/3 and there the only limit is 1 Gbit (except if there is a lot of skype traffic than the update download can only consume up to 800 Mbit) ... View more

Yes exactly. Because you already use another device for this already you want to make sure that really only this traffic here will be decrypted (server as source and maybe a second custom url category that contains "www.google.com") ... View more

@clonesheep Does the term "SSL decryption" mean more to you? (I try to avoid using the word SSL as this is TLS in the current versions)   What I meant you need the firewall to decrypt this HTTPS traffic (-->decryption policiy), because as I wrote the firewall does not see the actual http-get request without decryption. ... View more

Hi @DavidBleek   Unfortunetely in this case I cannot really help. I had the same problem. We are also in a domain migration where users get new computers which are joined to the new domain but the users were not migrated at the same time they receive the new computer. In my case we don't even have User-ID but the users show up anyway with "olddomain\user" AND "newdomain\user".  As soon as the users are migrated and so user and comouter are in the new domain, the problem was gone. Adding exchangeservers would also help in your case, but I undersand that this could be difficult with O365 (unless you have exchange on premise). Maybe @Mick_Ball has a good idea to solve this, but my recommendation is: Use as much User-ID sources as possible where you get the mapping from the new domain (Global Protect internal gateway, Captive portal with Kerberos/SAML single sign on, ...). This way the mapping from the old domain should be overriden as fast as possible (like the situation you have with server session read). ... View more

@jsalmans wrote: We opened one at some point for DIPP NAT options some time ago:   FR ID: 7654 Requesting support of DIPP with non-strict recognition by devices.   This was basically to request features to allow DIPP NAT to be used more like the ASA's implementation of PAT (best effor port usage and sticky NAT). Thanks, FR ID 7654 is added to the list ... View more