About rps

Isnt it possible to select "known-user" as with source user and policies? ... View more

Ahh ok so selecting radius in service route configuration is the global setting for the PAN where to (or rather which source interface should be used) send radius requests and if I do that I will also have to add a "static" route in the service route configuration towards the ip for the userradius used by the captive portal (assuming that the "radius" setting in service route will be set to use MGT interface) and then everything should be fine? 🙂 Are there any differences when sending "administrative" traffic through one of the dataplane interfaces compared to the dedicated mgt-interface? Im thinking of if the fpga will cut the sessions due to some timeout which might exist on stuff that passes through dataplane but it will not be cut when using mgt-interface? ... View more

But that would render that users can login to MGT interface just because they exists in the userradius and not in the adminradius. It would be nice if those two things could be separate (since the dataplane and controlplane is already (somewhat) separate in a PAN). ... View more

Based on your answer I guess its not possible to use one Radius for adminlogs (towards MGT) and another Radius for userlogins (towards captive portal)? I guess I'll have to issue yet another request... Another request would be if PaloAlto Networks could issue requests on their own based on the discussions in KnowledgePoint without having to force their customers to issue a specific request towards their support. ... View more

Hmm, isnt what you decribe what the "SSL Decryption Certificate" (in the Certificates config) is used for? Since you will have to import both private and public key of the CA to the PAN so it can issue its own certs for the MITM when doing ssl decryption? While the "Trusted CA" will only accept the *.crt part. How are certs handled during ssl decryption if the cert (on the server which the client visits) is issued by a private CA? Is the workaround for this to uncheck "block unknown" in the crl settings? Because I would like to block unknown certs (or certs that cannot be verified between PAN and the server) but at the same time still tell the PAN unit to trust a specific range of CA's (except for those who are builtin if any). ... View more

Ooops sorry for the double post. I thought I had already asked this in a thread but I wasnt able to locate it (which made me think I didnt asked) so I asked again, the original thread https://live.paloaltonetworks.com/thread/1266?tstart=0 Thank you for the workaround, ill try it out along with a request to our support for a deny function (perhaps a deny grouped by sending empty data to the client). ... View more

I got a suggestion for workaround in https://live.paloaltonetworks.com/thread/1276?tstart=0 I will contact our support and file this as a request. ... View more

Mail sent 🙂 ... View more

"web-browsing" is already allowed but it doesnt seem to work as expected. I created an application filter named "SURF_browser-based" containing: Technologies: browser-based Subcategories: email erp-crm file-sharing general-business instant-messaging internet-utility office-programs social-networking storage-backup web-posting and assign it to a policy to allow the applications which are contained in the above subcategories (note how instant-messaging is included along with web-browsing which is in internet-utility if im not mistaken). After commit the output is:     * device: Rule 'SURF' application dependency warning:     * - Application 'zimbra' requires 'http-proxy' allowed in the policy     * - Application 'zimbra' requires 'http-proxy' allowed in the policy     * - Application 'zimbra' requires 'http-proxy' allowed in the policy     * - Application 'zimbra' requires 'http-proxy' allowed in the policy     * - Application 'zimbra' requires 'http-proxy' allowed in the policy     * - Application 'zimbra' requires 'http-proxy' allowed in the policy     * - Application 'mobile-me' requires 'http-proxy' allowed in the policy     * - Application 'mobile-me' requires 'http-proxy' allowed in the policy     * - Application 'mobile-me' requires 'http-proxy' allowed in the policy     * - Application 'mobile-me' requires 'http-proxy' allowed in the policy     * - Application 'mobile-me' requires 'http-proxy' allowed in the policy     * - Application 'mobile-me' requires 'http-proxy' allowed in the policy     * - Application 'msn2go' requires 'http' allowed in the policy     * - Application 'msn2go' requires 'http' allowed in the policy     * - Application 'msn2go' requires 'http' allowed in the policy     * - Application 'msn2go' requires 'http' allowed in the policy     * - Application 'msn2go' requires 'http' allowed in the policy     * - Application 'msn2go' requires 'http' allowed in the policy     * - Application 'bebo' requires 'http-proxy' allowed in the policy     * - Application 'bebo' requires 'http-proxy' allowed in the policy     * - Application 'bebo' requires 'http-proxy' allowed in the policy     * - Application 'bebo' requires 'http-proxy' allowed in the policy     * - Application 'bebo' requires 'http-proxy' allowed in the policy     * - Application 'bebo' requires 'http-proxy' allowed in the policy     * - Application 'aim-express' requires 'aim' allowed in the policy     * - Application 'aim-express' requires 'aim' allowed in the policy     * - Application 'aim-express' requires 'aim' allowed in the policy     * - Application 'aim-express' requires 'aim' allowed in the policy     * - Application 'aim-express' requires 'aim' allowed in the policy     * - Application 'aim-express' requires 'aim' allowed in the policy     * - Application 'woome' requires 'rtmp' allowed in the policy     * - Application 'woome' requires 'rtmp' allowed in the policy     * - Application 'woome' requires 'rtmp' allowed in the policy     * - Application 'woome' requires 'rtmp' allowed in the policy     * - Application 'woome' requires 'rtmp' allowed in the policy     * - Application 'woome' requires 'rtmp' allowed in the policy     * - Application 'bigupload' requires 'ftp' allowed in the policy     * - Application 'bigupload' requires 'ftp' allowed in the policy     * - Application 'bigupload' requires 'ftp' allowed in the policy     * - Application 'bigupload' requires 'ftp' allowed in the policy     * - Application 'bigupload' requires 'ftp' allowed in the policy     * - Application 'bigupload' requires 'ftp' allowed in the policy     * Configuration committed successfully Note the warning regarding msn2go which I feel is a bit odd since both web-browsing and msn2go are allowed... ... View more

You can set "source user = any" as workaround. Another method would be to use captive portal along with ntlm but I dunno if pan-agent will work on 2008 or if it have the same issues as ts-agent. ... View more

Could these rule of thumbs be compiled into a single pdf? 🙂 ... View more

Hmm because I have noticed that my ts-agents gets disconnected by the PAN unit after approx 2h50m which makes the logs be incorrect regarding userinformation or completely empty regarding which user made which session (since the PAN-unit still believes its "connected, ok" with "show ts-agent statistics" while each ts-agent on the terminalservers along with "netstat -an | find "5009"" verifies that the PAN-unit is no longer connected). Today I setup a custom app id (to make sure there is no session inactivity going on by setting sessions timeout to "0" for my custom app) and than an application override to make sure my "custom-ts-agent" was being used for the traffic and then verified with traffic log (logging set to both start and end). But it still got disconnected after approx 2h50m... By the way, how come the ts-agent doesnt have an official appid? 🙂 paloalto-userid-agent exists but not paloalto-ts-agent? ... View more

SSL (https) is not only used to keep traffic secure from sniffing / routing errors on the internet but also a way for malware (spyware, virus and stuff) to avoid being detected by an antivirus engine (until it reaches the victim) since the traffic is encrypted when it passes the firewall. When you enable forward decryption the PAN unit will act as a man in the middle attack by decrypting the ssl-session, investigate the traffic (be able to find out which app is used, scan for vulns, scan for virus, scan for spyware etc) and then encrypt it again and send it to the client (if the policy says to allow the traffic). In order to do this in silence the client must have the ca.crt which the PAN unit will use to encrypt the ssl between itself and the client (otherwise the client will get an error that the cert is issued by a ca which is not trusted). If you want to protect your net you can enable forward decryption for all outbound traffic (NOTE: do NOT enable it for the PAN unit itself otherwise the managementplane will become instable 😃 which means that ssl stuff that cannot deal with a custom ca.crt will simply be blocked (that is block traffic that you cannot inspect but this depends on the usage of the PAN unit and company policy surrounding the nets involved). The downside is that this MITM attack doesnt work if the client already have stored the cert which the server will use (since the certs will no longer match). This is the case for windowsupdate for example which means that you need to setup a "app: ms-update" + destination of windowsupdate servers as "no decrypt" rule before your "forward decrypt" rule in SSL Decryption settings. Example: rule1: from trust to untrust source: any destination: *.windowsupdate.com (etc) app: ms-update action: nodecrypt rule2: from trust to untrust source: any destination: any app: any action: forward decrypt In the above case you must decide if you want to allow traffic from windowsupdate servers to be unscanned (but allowed for the client) or block this traffic all together (by simply just delete/disable "rule1" above). ... View more