About Remo

Hi @SThatipelly    As already mentionned by @BPry in your other topic (https://live.paloaltonetworks.com/t5/General-Topics/How-to-view-active-ssl-sessions/td-p/209843/jump-to/first-unread-message) the ACC tab is a quick and easy method to estimate the throughput. But instead only filtering for the app ssl, I would set the filter to 443. But keep in mind that ACC only aggregates the traffic when sessions ended. So if you have an ssl session that was open for days and transfered quite a few gigabytes, you will see a peak in traffic at that time when the session ended. So you need to divide the total amount of traffic by the amount of time to get an average of ssl throughput. If you really want to know the actual throughput it will get a little more complex and requires QoS (without setting additional limits) and a script that pulls data periodically (every 10 seconds for example) from the XML API. But this way you will be able to get almost the actual throughput for decrypted traffic.   Regards, Remo ... View more

The "problem" is that not every application can be recocnized within a few packets. In some cases you first need to allow these dependencies, to allow enough traffic that the firewall will be able to see the adobe cc application. And again in other cases decryption is required to gain this visibility, because without that for example the firewall only sees web-browsing or ssl. You actually don't have to allow the dependencies, but as I wrote, in some cases paloalto can only guarantee full functionality of the various apps when you allow these dependencies. As you see this can also have negative/unwanted sideeffects which you can restrict with this solution with the custom url category. ... View more

I would recommend creating a custom url category which you add directly to the security policy rule (not via security profile).     ... View more

Hi @Sanasheikh   In some cases it also works without adding the dependencies. You then probably get a commit warning, but it will not allow general webaccess. Or as @Ben-W already pointed out, you can use a custom url category to restrict the access to only Adobe domains. The list with quite a few entries from adobe you can find here: https://helpx.adobe.com/in/enterprise/kb/network-endpoints.html (And yes, using a custom URL category does not require a URL Filtering license)   Regards, Remo ... View more

I have the same config here. I have the syslog server profile on all firewalls in a global template, even if I do not need in on all devices. And obviously I also don't need the log forwarding profile on all firewalls, but creating it in shared devicegroup context is the only working solution. And because the forwarding profile is created in shared context it will be pushed to all firewalls - even if it is not used - which the other way requires the syslog profile on all firewalls for not getting commit errors because of deoendencies. ... View more

Did you configure the syslpg server profile in the shared context or for a specific vsys? And in addition: the log forwarding profile also must be greated in shared context and not in a device group in order to make it work. ... View more

Are both ISPs equal (bandwidth, service level, ...)? ... View more

Could you try to disable Netbios probing? ... View more

Hi @hamza-zidane   Simply add routes where you choose "Next VR" as next hop and then ypu choose the coresponding VR.   Regards, Remo   PS: the big question is: why do you need to do that? If you need routing between these interfaces this separation will only add operational burdens but no additional security. ... View more

Hi @Anon1   Depending on the amount of rules you have it might be worth to spend some time with learning - learning about the XML API and XPATH. If you're alrrady familiar with these topics: Great, then this should be easy for you.   Some basics you can find here: https://live.paloaltonetworks.com/t5/Community-Blog/Export-the-security-rulebase-using-XML-API/ba-p/207981   The most important API request in this case for you is: https://{FIREWALL-IP}/api/?type=config&action=show&key={APIKEY}&xpath={XPATH}   With XPATH you should be able to get only the rules without a log forwarding profile configured. This XPATH will show you all the existing rules: /config/devices/entry/vsys/entry/rulebase/security If you now add a NOT statement to this XPATH to exclude all the rule with a log forwarding profile: [not(rules/entry/log-setting)] Combined this will give you this API request: https://{FIREWALL-IP}/api/?type=config&action=show&key={APIKEY}&xpath=/config/devices/entry/vsys/entry/rulebase/security[not(rules/entry/log-setting)] With this final request, I am actually not 100% sure if this really works but you can test this easily (copy&paste - done). @reaper: Do you know if the XML API has FULL support for XPATH queries?   If this does not work, you need to do it in two steps with the help of a scripting language, where you first do the rulebase query and then to the additional XPATH query to reduce the output to the rules without log-forwarding profile. (If it does not work and you're interested in this solution I can post a short example with powershell).   Regards, Remo                   ... View more

@Brandon_Wertz Thanks for clarification. I also got it ... the same as the decryption broker feature of paloalto in 8.1 ... View more

@SThatipelly Just keep in mind that I only try to help 😛   ... but I still don't see how this should work. If this is possible by bluecoat to forward unencrypted traffic to palo and then back to bluecoat where the traffic will be reencrypted - good. But with the additional points you bring up here, specially that you still want to use the protection of your Paloalto firewall. Don't you have to place this bluecoat appliance directly behind your internet router to even have a chance for this session matching? And what about NAT: do you have NAT configured on your paloalto and if yes, how will bluecoat do a session matching with different IP addresses and ports? And to DDoS protection, I doubt that the problem is the CPU of your firewall in case of an attack, it is much more likely that your complete bandwith will be used by the attack and you will be "offline" anyway, even with an cpu on your firewall that is idle. ... View more