About networkadmin

networkadmin · ‎04-29-2010

I've been experimenting with the URL override feature. Works fine, however even with the PANs self-signed certs in the PC's trusted root authorities store, I can't seem to get away from getting a "mismatch" warning because when someone goes to www.overridesite.com the SSL cert is only valid for pan.ourdomain.com even if it trusts the CA. Is this just how it is or is there anything I can do to make it a bit more seamless please? Thanks in advance.

networkadmin · ‎04-28-2010

Actually here's a question. I read this on Digicert: http://www.digicert.com/uc-certificate-add-subject-alternative-names.htm Does this mean that if I have a wildcard cert installed on the PA on day one for inbound SSL decryption, that if six months later I add some SANs to the certificate, that I now need to also install the new cert on the PAN, or will the initial install of the wildcard cover it? Hope that makes sense - the reason for looking at using a wildcard is to avoid duplication of effort.

networkadmin · ‎04-28-2010

Brilliant, thanks very much

networkadmin · ‎04-28-2010

Thanks for the reply. I had a chat with Vadition and they were of the view that the simplest solution (maybe more work to get there but neater/simpler) would be to bring the hosts off a L3 interface and have a DMZ zone and do inbound NAT etc. One question on that as I only just asked them - can you assign multiple NICs in the PAN to the same L3 interface? I ask as we only have two DMZ hosts so it'd be nice to be able to plug them directly into the PAN vs. bringing another (small) switch into the equation.

networkadmin · ‎04-26-2010

Are there any issue(s) when using one of these for the reverse proxy (i.e. DMZ websites that use SSL) on the PAN please? Specifically thinking of using Digicert.

networkadmin · ‎04-25-2010

Hoping for some clarification on using Virtual Wire to inspect traffic to our DMZ please. Right now the external interface of our PAN has a public IP of 1.2.3.1/24. Its default gateway is another firewall in front of it, it's internal interface has a public IP of 1.2.3.2/24. Both of these interfaces are connected to a switch, and on that switch we also have a webserver/mail relay which have public IP's on the same 1.2.3.0/24 network, kind of like this: LAN | | PAN (external interface is in dumb switch) | Dumb Switch--DMZ Servers | Perimeter Firewall (internal interface is in dumb switch) | Router I know I can bring those DMZ servers in behind another interface on the PAN and assign them private IP addresses and have the PAN do the decryption/inspection/forwarding. I also believe I can setup a DMZ "virtual wire" which will let me do SSL decryption and threat/virus inspection without having to touch the configuration on any of those DMZ servers. What I'm not clear on is how I'd do this, and as I don't have a PAN I can test on I'd appreciate some clarification before I do anything. Equally if every "best practise" out there is to do this using traditional NAT tell me and I'll look at doing it this way (How do I best build up the "new" ruleset on the PAN without committing it until I'm ready, whilst being able to make changes to my running config if I need to?). Thanks.

networkadmin · ‎04-22-2010

I know this is subjective, but does anyone have any knowledge/experience of how effective the Palo Alto IPS/IDS is compared to a more dedicated product? I'm looking at ways to try and detect/block suspect traffic to our web server and obviously there are lots of IPS/IDS solutions ranging from software to hardware.

networkadmin · ‎04-14-2010

Bump.. anyone please? I'm assuming this isn't in 3.1?

networkadmin · ‎04-07-2010

If I setup a policy using a URL filtering profile that uses override for at least one or more categories, once the user enters the override code, what are the exact rules that then apply? For example if I set "shareware and freeware" to "override" and someone goes to www.cnet.com and enters the code, at what point does that override expire? Whilst they are in "override", is it for the website, or the category i.e. if they then went to another site that's in "shareware and freeware" would they be able to access it? Is there a document with a more detailed breakdown?

networkadmin · ‎04-07-2010

Brilliant thanks Mike, I may wait for 3.1.1 (or the first "bugfix" release) but sounds like a plan.

networkadmin · ‎04-02-2010

Ahhh OK, so instead of multiple URL profiles that serve only to have an allow list, you create a URL category called "ms-update sites" or "global whitelist" and set those to allow on the URL profiles instead of duplicating/overlapping the URLs in the "allow" box? I think that would make things a bit simpler to manage so I'll look at the documentation/PanOS manual. Presumably 3.1 is considered stable/production ready? I ask as whilst I believe 3.0.8 is more "mature" I'm unsure quite what you'd consider the deciding factor between whether to deploy 3.0.8 or jump to 3.1 (we're on 3.0.6 right now)? Thanks.

networkadmin · ‎04-02-2010

Thanks Mike, I guess that would work though it's not ideal as it means maintaining two sets of overlapping URL profiles (AFAIK you can't "group" URL profiles can you?). Are there any plans to bring in an option to have allow lists where if the URL is not on the allow list the request simply drops through to the next rule?

networkadmin · ‎04-02-2010

I have a query regarding multiple rules to allow access to URL whitelists. Let’s say I have rule1 that allows “any” on my LAN to a URL profile that blocks everything but only allows access to url1.com. I then want to have rule2 that only allows “some servers” access to only url2.com. The problem is that the URL filtering profile on the first rule stops the request for url2.com from ever reaching the rule that allows it. Seems a simple enough thing to want to do so I must be missing a step/technique in how I'm doing it? Thanks.

networkadmin · ‎04-01-2010

I guess this is a YMMV dependent upon the model, but we have a PA-500 running 3.0.6. What do Palo Alto recommend I be running as the stable version please? 3.0.8 or 3.1? Also if I do an upgrade is there a ballpark on the actual downtime (not the total upgrade time)? Thanks in advance.

networkadmin · ‎03-23-2010

That'd be the one! So any update on the feature request please?

Member Since	‎02-12-2010 10:34 AM
Date Last Visited	‎09-16-2017 04:35 PM
Posts	242
Total Likes Received	16

Online Status	Offline
Date Last Visited	‎09-16-2017 04:35 PM

About networkadmin

Re: Content Versions 706 & 707 - some explanation needed

Re: Forcing TLS/SSL decryption to cipher suite PAN can decrypt?

Forcing TLS/SSL decryption to cipher suite PAN can decrypt?

Re: MineMeld real-world usage to reduce threats?

MineMeld real-world usage to reduce threats?

Skype for Business using App-ID?

Re: Rule too allow access to group of URLs?

Re: Rule too allow access to group of URLs?

Re: Rule too allow access to group of URLs?

Rule too allow access to group of URLs?

Re: Import PA-500 config on PA-3020?

Re: Exclude URL

Re: How do I check how a URL is categorized and suggest changes or corrections?

Re: CVE-2015-0235 Ghost

Re: Paloalto to Firebox

Re: Forcing TLS/SSL decryption to cipher suite PAN can decrypt?

Re: vwire using a single physical interface possible?

Re: Dynamic Block List - Limit on number of entries?

Re: CVE-2015-0235 Ghost

Re: CVE-2015-0235 Ghost

URL Filtering Override SSL Certificate

Re: Wildcard/UCC SSL Certificates

Re: Wildcard/UCC SSL Certificates

Re: Virtual Wire DMZ - Help Please

Wildcard/UCC SSL Certificates

Virtual Wire DMZ - Help Please

IPS/IDS Effectiveness?

Re: "Top Domains" report?

How long do URL override codes last?

Re: Multiple policies that use URL allow lists?

Re: Multiple policies that use URL allow lists?

Re: Multiple policies that use URL allow lists?

Multiple policies that use URL allow lists?

Expected downtime for a PanOS Update?

Re: "Top Domains" report?

Unlock your full community experience!

About networkadmin