About Remo

@TysonLiu To which PAN-OS version exactly did you upgrade? ... View more

... Atari Breakout seems to be a little more tricky to find a good way to block while analyzing the website on a smartphone 😛   So far I see the possibility with a custom application that blocks the HTTP get param "atari breakout" on google websites. ... View more

@HWAAcademy I also took a short look at that and it looks like you could block access to: https://www.google.com/logos/2010/pacman10-i.html https://www.google.com/logos/2010/pacman10-hp.html Or even better: Block only the required javascript so everyone is able to open the pacman website but cannot play 😉 https://www.google.com/logos/js/pacman10-hp.10.js ... View more

Depending on the entrycount of the domakn EDLs this could result in quite a few DNS requests that the firewall needs to resolve. But I see your point. You could contact your local sales to create a feature request for this. If you do, post the FR ID here so others can also vote for this feature. ... View more

Hi @Brad.Herbert   I see two possibilities on how to solve this: Create a policy based forwarding rule so that ypur internal network will be able to reach this public IP over the tunnel instead of directly over the internet Create a separate virtual router where you add your tunnel interface (and depending on the use of the firewall also your internal interface). In this seperate virtual router you could then configure a route for this public IP with the tunnelinterface as destinationinterface without affecting the IPSec traffic that the firewall needs to be able to send directly over the internetinterface. I hope this helps.   Regards, Remo ... View more

@cyb3r_v3n0m If you create a decryption policy exception you don't have to uncheck the "validate update server identity" checkbox or and you don't have to mark the decryption root cert as trusted root. ... View more

There are some ways Export your configuration from both panoramas, copy the part with the application(groups) from one panorama to the corresponding section of the configuration of the second panorama and import the configuration again Use the cli (preferred with "set cli config-output-format set") and use configure mode to show all your application(groups). Copy this output and past it to the cli of the second panorama ... View more

@MikeTewner It depends on how much you really need this group mapping for SAML authenticated users ... it will be a bit of work   Set up a webserver Create a log forwarding profile for system logs that applies for global protect login and logout logs and send these logs to your webserver Create a web application on your webserver that processes these http request with the logs from your firewall For every log that the webserver receives your web application needs to push that information to the firewall API to create dynamic User-IP-Group mappings and also delete them when a user logs out 4 "simple" steps and you have implemented what you need 😛   But I recommend the feature request anyway ... ... View more

@BPry I actually also don't think it will work as I assume this setting does only apply for updates (software/dynamic) and not wildfire ... but who knows ... ... View more

@Karthick.Subbiah Try to disable the checkbox at "validate update server identity" and mark the root cert that you use of decryption as trusted root certificate. Not sure if this really works because the actual solution was already posted by @BPry. For this step you don't need to disable TLS decryption comoletely, just configure an exception for your firewall mgmt IP to wildfire.paloaltonetworks.com. ... View more

@BPry And my hope died again 😛 Thank you for checking. (You route 0.0.0.0/0 into the vpn tunnel right? And you are on 4.1.1 with windows 10?) ... View more

@BPry Yes, the scripting solution works. The criticism that PaloAlto must accept is really about this "Domain" report. At least in my environment (we log EVERYTHING) I have almost 0 urls like www.amazon.com, www.google.com, www.paloaltonetworks.com and so on. In every log there is something after the domain like www.amazon.com/anything/anything/somefile.html. so when you want to create a script you need to split the URL at the first "/" to get the domain and then count these entries to get the hits to a particular domain. Other solutions/vendors do this out of the box (which actually shouldn't be really hard for paloalto to implement)... In addition with other solutions it is also possible to get a report with the amount of traffic to specific domains, which is also not possible with paloalto without a not so simple script or without something like splunk. Sometimes I don't really know what to think: one one hand there are some "basics" missing, which would be great for a lot of customers and on the other hand I love the API - if something isn't built in at least PaloAlto gives us the possibility do implement it by ourselfs. Yes, this means some work, but you then also get exactly what you need instead of buying another (expensive) product which then fits 80% of your needs (instead of lets say 60% without some scripting) ... advantages and disadvantages - we will always have to live with them ... View more

@AzerbaijanSupermarkets As mentionned by @BPry, in my eyes this is a job for an email relay/gateway server, not really for a firewall.   (Except maybe if FR 1255 sometimes will be implemented? @reaper: what exactly is this FR about? Logging of sender and receipient in smtp connections?) ... View more