About Remo

@dwmaas Where did you read something about a "recommended configuration file size"? I don't think there is such a value. There are maximum values for objects and rules where if you reach such a max you should keep an eye on the cpu. If you have 65000 security policy rules on a PA-7050 your configuration file probably is pretty big, but the platform is theoretically made for that and (for whatever reason) 55000 rules could be disabled then the configuration is still big but this shouldn't have any impact on anything as the firewall only has to check 10000 rules for new connections. The same with objects. If you have configured 160000 objects on a 7050 but you use only a small part this does not mean a lot. ... View more

@Brandon_Wertz For 986 I will also add at least 5 companies 😉 The only reason I haven't done this since I know about this FR is that I was thinking about placing a new FR for a completely new Global Protect log category. What do you think? ... View more

What PAN-OS version is running on your firewall? ... View more

@jdprovine In this case you need a ldap and a radius authentication profile to have two factors. As probably already mentionned with the GP agent it is possible if you configure ldap on the portal and radius on the gateway. For the native clients (good to know by the way that this works), global protect does not offer a way to chain authentication profiles. There you need something that I mentionned wher the radius server checks ldap credentials and OTP, because they only connect to the gateway and not to the portal to pull their configuration. (I hope I understood your question correctly) ... View more

Added FR ID 986 - Custom Reports for System logs Added FR ID 9113 - Integrated addressobjects for well-known cloud services ... View more

Yes, this is possible: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal ... View more

Interesting discussion you @jdprovine and @Mick_Ball have here 😉   Just to be clear, I don't expect to be the "super user" with the ultimate solution ... but I already had quite a few situation with global protect and a lot of headache till some situations were solved (one still isn't, there I hope for GP 5.0)   So ... 🙂   This one actually I don't really understand: @jdprovine wrote: @Mick_Ball well....... we want 1 user to do both LOL. once by radius, once by OTP or something like that, like you know ( I am going valley girl).... two authentications per person.   soooooo..... sorry I couldnt help myself What do you @jdprovine mean with "we want 1 user do both"? As I understood your RADIUS is responsible for OTP, but now how is LDAP coming into the game? Or what is meant to do both?   May I  add what we use: We use RADIUS only. PaloAlto sends the credentials (username and password) to the RADIUS which checks these values via LDAP in the active directory. If the credentials are valid it sends a accept-challenge back to the firewall which then tells the global protect agent to show the prompt for the OTP. This is for the portal and on the gateway we use cookies but configured the same RADIUS profile there too to make sure OTP is forced in every situation (if for some reason the global protect agent does not connect to the portal first).  ... View more

Hi   As @BPry already wrote, I am also sure that there will be a release that is usable/recommended untill EOL of 8.0 is here. But I also unterstand @firewall-pupil's point and it's kind of true - looking at statistics it's getting close... So here are some informations about releases since 6.0:   Version Releasedate Days since previous Version 6.0.15 17.10.2016 109 6.0.14 30.06.2016 129 6.0.13 22.02.2016 90 6.0.12 24.11.2015 90 6.0.11 26.08.2015 121 6.0.10 27.04.2015 50 6.0.9 08.03.2015 46 6.0.8 21.01.2015 44 6.0.7 08.12.2014 46 6.0.6 23.10.2014 30 6.0.5 23.09.2014 50 6.0.4 04.08.2014 54 6.0.3 11.06.2014 49 6.0.2 23.04.2014 45 6.0.1 09.03.2014 49 6.0.0 19.01.2014       Average: 66.8     Days untill x.x.7: 323   Version Releasedate Days since previous Version 6.1.21 28.06.2018 113 6.1.20 07.03.2018 96 6.1.19 01.12.2017 135 6.1.18 19.07.2017 83 6.1.17 27.04.2017 90 6.1.16 27.01.2017 91 6.1.15 28.10.2016 59 6.1.14 30.08.2016 42 6.1.13 19.07.2016 40 6.1.12 09.06.2016 57 6.1.11 13.04.2016 50 6.1.10 23.02.2016 42 6.1.9 12.01.2016 53 6.1.8 20.11.2015 60 6.1.7 21.09.2015 55 6.1.6 28.07.2015 28 6.1.5 30.06.2015 50 6.1.4 11.05.2015 54 6.1.3 18.03.2015 48 6.1.2 29.01.2015 43 6.1.1 17.12.2014 53 6.1.0 25.10.2014       Average: ~63.9     Days untill x.x.7: 331   Version Releasedate Days since previous Version 7.0.19 04.12.2017 87 7.0.18 08.09.2017 56 7.0.17 14.07.2017 38 7.0.16 06.06.2017 48 7.0.15 19.04.2017 53 7.0.14 25.02.2017 43 7.0.13 13.01.2017 36 7.0.12 08.12.2016 43 7.0.11 26.10.2016 47 7.0.10 09.09.2016 39 7.0.9 01.08.2016 42 7.0.8 20.06.2016 38 7.0.7 13.05.2016 52 7.0.6 22.03.2016 42 7.0.5 09.02.2016 50 7.0.4 21.12.2015 69 7.0.3 13.10.2015 48 7.0.2 26.08.2015 38 7.0.1 19.07.2015       Average: ~48.3     Days untill x.x.7: 299   Version Releasedate Days since previous Version 7.1.19 28.07.2018 50 7.1.18 08.06.2018 46 7.1.17 23.04.2018 46 7.1.16 08.03.2018 50 7.1.15 17.01.2018 57 7.1.14 21.11.2017 40 7.1.13 12.10.2017 43 7.1.12 30.08.2017 55 7.1.11 06.07.2017 45 7.1.10 22.05.2017 45 7.1.9 07.04.2017 49 7.1.8 17.02.2017 49 7.1.7 30.12.2016 43 7.1.6 17.11.2016 46 7.1.5 02.10.2016 52 7.1.4 11.08.2016 43 7.1.3 29.06.2016 48 7.1.2 12.05.2016 24 7.1.1 18.04.2016 20 7.1.0 29.03.2016       Average: ~44.8     Days untill x.x.7: 276   Version Releasedate Days since previous Version 8.0.12 09.08.2018 35 8.0.11-h1 05.07.2018 52 8.0.10 14.05.2018 41 8.0.9 03.04.2018 51 8.0.8 11.02.2018 45 8.0.7 28.12.2017 45 8.0.6 13.11.2017 54 8.0.5 20.09.2017 56 8.0.4 26.07.2017 38 8.0.3 18.06.2017 52 8.0.2 27.04.2017 48 8.0.1 10.03.2017 40 8.0.0 29.01.2017       Average: ~46.4     Days untill x.x.7: 333   Version Releasedate Days since previous Version 8.1.3 13.08.2018 61 8.1.2 13.06.2018 43 8.1.1 01.05.2018 61 8.1.0 01.03.2018     For 8.1 there obviously aren't a lot versions yet. So I can only speculate about the future. In the past normally version x.x.7 was installable almost without any risks. So lets assume this will also be the case with 8.1. The overall time between releases since 6.0 was ~54.6 days, but as a release gets older the time between versions increases which is logical as PaloAlto focuses on the newer major versions. So for a (maybe) better prediction I also summed up the days between a new major release till x.x.7. The average for this since 6.0 is 312.4 days. This means that we get 8.1.7 on the 7th January 2019. Of course this date is only based on average times between releases from the past, but anyway it will be close to EOL of 8.0. Specially for big environments this could mean some work at the end of the year / beginning of 2019 (at least if you want to avoid having a release in production that is EOL).   We'll see 😉   ... View more

@Sly_Cooper For continuous monitoring including storing these values to get also a historical view you should take a look at snmp and a monitoring software. Examples are: (Commercial software with also a free version) PRTG Traffic Monitor https://www.paessler.com (Opensource software) NetData https://github.com/firehol/netdata ... ... ... View more

Almost 2 years ago I created this topic ... and now the problem finally is resolved and the topic has an accepted solution. The solution also worked in my tests! Thank you very very much @Mick_Ball ... View more

I would also recommend to open a support case ...   And what you could check also: Try with a new allow-and-log-ALL vulnerability profile (only vulnerability) Try with a new allow-and-log-ALL anti-virus profile (only anti-virus) If it was working for both of these two, do the same with anti-spyware and URL filtering During these tests check the global counters and do a flow basic analysis (this is probably also what TAC will do) ... View more

@Mick_Ball Did you already verify? Anyway, I will also try your suggestion probably tomorrow. And if this does not help either, at least I have some more information for another supportcase.   @Mick_Ball @BPry --> the power of the (Live) community! ... View more