About Remo

In order to get more information on this, you need to ask your sales engineer.  Maybe there is an existing feature request that you can vote for or you could create a new one this way.  ... View more

I think one reason is the one mentionned by @BPry and another one is because palo hasn't had a lot of different platforms some years ago. So about 5 years ago before the 3000 series were released a company had to choose between pa2000, pa4000 and pa5000 series. Even back then pa2000 and pa4000 were already "old" hardware platforms and probably did not have enough throughput (pa2000) so there was only pa5000 series left. With the release of pa3000 this may changed a little with "modern" hardware and 4Gig throughput, but if a requirement was a redundant power supply the only option again was the pa5000 series. With last years release of the pa5200 series I think the overall distribution my change as more and more of the existing pa5000 will be ready for lifecycle, but the pa3200 is likely also going to change something but with the increasing demands on throughput probably all stay the same, except that more and more of the pa5000 will be changed to pa5200...  ... View more

If you are anyway routing everything to your HQ, then it is absolutely possible to use PaloAlto as transparent proxy without major network architecture changes.   PS: If you decide to buy a PaloAlto, do not use a PA-3060. You deginately want to go with the 3220 - specially if you need TLS decryption as this hardware has more of the modern chips that are build for current algorithms, not like the 3060 which is already some years old. ... View more

If you are willing to write a script, then yes this is absolutely possible with the API. (Very simplyfied) pull the URL Logs and then get the elapsed time from the traffic log - the "primary key" here is the session ID. With the session ID you can mix them together.   And now my personal opinion to reports with browse time: they are crap. There is almost no way to really distinguish between the actual time the user actively spent with web-browsing and background browser sessions. Connections to modern (ajax based, heavily javascript dependant, dynamic) websites stay open even when the user isn't actively viewing the website, while for example a user could spend hours to read a big wikipedia article but in the report you only see a few seconds as the session closes when the content is downloaded. In this example the other employee who opens facebook for like 2 minutes in the morning, but does not close the tab will probably show up in the report that he is using facebook 9/5. As I have never actively used a bluecoat product, this may not apply to this report. As I wrote it is almost impossible to do such a report. With heavy data analytics or if bluecoat injects a javascript into every web browsing session it gets feasable to have browsing times that are way more realistic than a simple session time report. ... View more

@JoeAndreini wrote: I think you are making this harder than it needs to be...   I would do the following: 1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls 2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces 3) when the maintenance window begins, apply this candidate configuration 4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch     I would also use exactly these steps for this migration. Specially because I can confirm that was working perfectly fine when I did the opposite (migrate from L3 interfaces to subinterfaces).  PaloAlto Firewalls are Zone based firewalls, so the session sync will work during this migration. This is because on a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone. --> nothing about source-interfaces 😉 ... View more

Actually it is possible to have URL filtering configured without TLS decryption, because the client sends the hostname of the website where it wants to connect in the TLS handshake. This part of the connection is not encrypted so Palo is able to filter based on that value. ... View more

@Mick_Ball wrote: This was also an issue for me with win 10. It worked with other vpn but not pan. From what i can remember it was an issue with NLA.   microsoft network location awareness. The problem is that the vpn has no default gateway so NLA assumes no internet access..  not sure if it was resolved but will check next week. Google NLA and vpn default gateway 0.0.0.0 as there are some reg settings to trick NLA or turn it off...    will update next week... Would be great if you post the trick(s) on how to make this work 😉 ... View more

Did you check one of the clients with this user-ip-mapping if there is something that logs on anonymous on that client? Is the user-id agent your only source for user-id or do you have also others? ... View more

@JoelWong what panorama version do you use? ... View more

Two years ago I had a TAC case open for this ... the answer I think was "this is an issue of microsoft" ... all right, I opened a case at microsoft "this is an issue of the vpn software" ... after speaking again to palo TAC without a solution I simply gave up on this as it wasn't that important for us.    But also for us this is still an issue: windows store apps are not able to connect anywhere when global protect is connected.   May be you @aromero have more success if you open a TAC case? ... View more

If you havent set different average times or snmp read intervalls, this sound to me like 8.0.9 did not fix this issue completely. To be sure the best probably is to open a TAC case ...   Another method would be to use the xml api, but it not an out-of-the-box solution like snmp ... ... View more

Hi @raji_toor   I assume you are querying these values with snmp? If yes, then you have to update to 8.0.9 because what you have here is bug PAN-80686, which is solved with 8.0.9.   Regards, Remo ... View more