About spolo

This one is pretty tricky, and I'm not sure it would be possible.  I'll defer to see if someone else replies, but as I see it, the video comes as an independent URL from a youtube CDN as an FLV file with no referer.  With no referer, I'm not sure there's a way to identify that it was in the context of Facebook, but I could be wrong.  Just prior to requesting the actual video content, there's a request for crossdomain xml files, but that doesn't affect the content.  Here's a quick snapshot I took using HttpFox of an embedded youtube video download and the associated headers.  Notice no referer header, which is what makes it challenging to identify that within the facebook context. ... View more

I think you should have support take a peek.  I'm unaware of issues with ms-smb on the PA-5000's, so if there is one, engineering should definitely have a look! ... View more

Yes, should be, although, if policy for all SSL VPN users is equal, then you may want to just assign the SSL VPN tunnel to a zone, and create policy based on that source zone. ... View more

If it's still failing you may want to call support or open a case via the web on this one.  Here's a couple of CLI commands that may help you diagnose: First, initiate the url database download: > request url-filtering upgrade brightcloud Now check the download log: > tail follow yes mp-log pan_bc_download.log If it helps you, I checked from one of our boxes in Europe and it's having trouble also.  That box does resolve to a different IP than we do here in the US, so not sure if it's something localized or not.  I don't have a lot of time to open a case with support on this right now, but it does warrant further investigation. Hope this helps! ... View more

I think your next option here is to review logs and start filtering on dates or rules you might question.  There's currently not a report like that one for "infrequently" used rules.  If you have particular rules you'd like to clean up, you could potentially create a custom report for utilization of just those particular rules, and run it against your desired time frames.  Hope this helps! ... View more

Generally speaking SMB is a very chatty protocol, so payload throughputs are not reflective of the actual bandwidth in use.  I think ultimately you may want to call support on it, but here are a couple of thoughts that might help you identify the source of the issue: 1.  First off, I think you should upgrade to 4.0.3 if you can, as there were generally a lot of fixes included in that release. 2.  Try creating a rule above your "allow all" rule based on source and destination specifically for your this traffic.  Within this rule I would try turning off security profiles and see if there's a change. 3.  Also in your new rule, try enabling DSRI (disable server response inspection) to see if that helps.  Since you likely trust your servers, this would cut your inspection burden down, which could improve your performance. 4.  Try creating an App Override policy and see the effects there. If you still have issues after that, I'd give support a call to troubleshoot further! ... View more

When you create an SSL VPN profile, you have to choose which tunnel interface it's on.  So maybe one way to distinguish different profiles is by creating security policy around which tunnel interface the user is on, or assigning different zones to those various tunnel interfaces and creating your security policy around those zones.  Then you can monitor and run reports based on zones. You are correct, in order to have different profiles, you'll have to create different SSL VPN portals.  This will require different interfaces, and you're right, different public IP addresses for the users to point to.  In order to make it easier on your users, and if you have the ability to do so, you might consider hosting a redirect page somewhere, where you'd post a page that gives them descriptions and links to the portals you've created.  You could even leverage the custom SSL VPN portal page directly on the device if that would work for your application! Hope this makes sense! ... View more

Have you tried directly connecting to the management interface from your laptop via a crossover cable?  If the management interface comes up okay when directly connected, this would indicate if you have a networking issue rather than a management interface issue. Also, be sure to check the basics... Is the management interface plugged in to the right network?  Is the switch port enabled?  Is the switch port configured for the proper vlan?  Is the default gateway on the box set correctly?  You also might try connecting to the console via serial cable and try pinging out from the management interface to verify he can get out. ... View more

I think you're asking what the vmware appID is.  Is that correct?  If so, yes you are correct, the vmware appID is for VMWare management traffic.  If you look at the appID description, you'll see from the characteristics that this application uses a standard port, tcp/902, which is used by the VMWare Server Console daemon to connect to it's client machines.  So if you see the vmware appID in your logs and ACC, this is what it's for. Your virtual machines may, of course, be doing different things, with different traffic triggering different appID's.  For example, a VM running a web server might trigger an appID for "web-browsing" as traffic comes in and out of that virtual machine. Hope that makes sense! ... View more

I'm sure there will be other responses here, but typically the best place to install is either on or near the domain controller.  The reason being is that the User ID Agent will constantly read the security logs of the Domain Controller in order to identify users, and will parse your AD tree for new groups being added and other AD information.  These logs can get fairly lengthy and as a consequence there could be a lot of data that goes across the network if you put the agent far away.  Because of this, it might be a bad idea to put it on the other side of a WAN from your DC for example. As far as multiple agents go, you should be aware that your security appliance will select one as the "primary" agent to look at for group membership updates.  Nothing to configure here, the primary is automatically selected for you, and you can tell which one the "primary" is by typing "show user pan-agent statistics" in the CLI.  The one with the "*" is the primary. Also, I've attached an older tech note on User ID.  While it's a bit dated and we are working on a new one, the concepts and "how-it-works" aspects are the same!  I hope this helps! ... View more

Just to clarify, sounds like you are using NTLM with redirect mode, correct?  Do you also have session cookie enabled? The authentication process when using NTLM is typically that when the user puts in their credentials, the credentials go to the PAN device, then to the user ID agent specified in the captive portal configuration, then the agent sends to the domain controller for authentication, then the User ID agent reports back to the PAN device, and permission is granted or denied.  In light of this, it may or may not help to check your domain controller's logs to see if the authentication requests are getting there and denied or accepted. If the authentication is denied, then the user continues to be "unknown" and if you have forced captive portal policy for unknown users, then they shouldn't get allowed through.  I believe you may also be able to see the captive portal denial in the System Log (Monitor tab). >>> Additionally, on Windows machines that are not part of the domains, or machines that are part of the domain but being logged onto locally, the last known authentication via captive portal is cached and no re-authentication via captive portal is being done - this was discovered trying to duplicate the no password error, it's been "cached" for 2 days. On this one I think you might need to check your session cookie.  I'm wondering if you have your session cookie set to time out after 2 days. I think there are a few moving parts here to work through... You might want to call support and have them take a peek? ... View more

While I'm not sure I know the answer to this question, you might need to be more specific:  What are you intending to use the certificate for?  SSL forward proxy?  Trusted CA?  SSL VPN/SSL Inbound Inspection/Captive Portal?  Web Admin?  Client CA?  Client OCSP Verify CA?  And does any of this matter since you're likely only going to have one as the active certificate for each of these functions? You can load at least one for each of these, but I get the sense that your use case might be broader than this. ... View more

Have you tried making a custom App ID for this?  ICMP type 3 is not one of the App ID signatures in the native database, but it looks like it would be easy to create one.  I did it quickly and you can see it in the attached screen capture, but I haven't tested it.  Maybe you could give it a shot! To create a custom App ID, go to Objects tab > Applications > Click the "New" button.  Give it a name and description in the "Configuration" tab, and then in the "Advanced" tab, you can choose your ICMP type. Once you have a custom App ID, you could create a security policy to allow this application. ... View more