About bdeschut

If you mean hideNAT (So hide a subnet behind one IP address), yes of course it can. Use Dynamic IP And Port ... View more

You should be able to download it from your partner portal. The current version is 2.0 if i'm not mistaking ... View more

Here is a useful document comparing the specs and features of the different models: http://media.paloaltonetworks.com/documents/Summary_Specsheet-Nov12.pdf ... View more

The traffic is in an isolated vlan which can only access the internet, not other internal subnets. A strict policy is in place to ensure this. I see no reason why this network should not be behind the main firewall. ... View more

This was indeed the first thing that came to my mind, but in our case, hosts in the guest network are not controlled by our IT team. ... View more

Using individual threat ID'is is not an option I believe, since conficker seems to have a lot of different threat ID's. I was trying to filter them out of my threat logs but after removing 20-30 of them, there were still a lot more that needed to be filtered out. It seems there is no reasonable way to "group" the conficker threat and filter it out. Since conficker uses a generic url and PA creates a different ID for each of them, the exception list would grow rapidly every day. I am not sure about this, but it seems logical. ... View more

Indeed sspringer, this does the trick. Thanks! ... View more

So I would need to create a new rule above the one that allows it at the moment with source IP the infected clients (otherwise I would not know when other clients have it)? Also, the conficker threat has a lot of threat ID's, so setting all DNS queries to all would make other threats not show up in the logs? ... View more

I will test in my lab, thx for the hint! ... View more

Hey, The policy rule will contain the same URL filtering profile as for the rest of the company users. But additionally, the rule needs to block access to all websites for our monitor, except those from the list in the custom URL category. So in the custom URL category will be: google.com, microsoft.com, playboy.com,... so our monitor will be able to check that it can access google and microsoft, but get's the Palo Alto block page when going to playboy.com. Except for those sites, all access needs to be blocked, therefore the need for the custom URL category that will be added to the security rule. But I am afraid that from then on, the Palo Alto will categorize google and microsoft as "myCustomCategory" instead of their respective predefined categories and it will show up in the logs and reports. I hope this is clear, otherwise I will add some screenshots Kind regards, Bob ... View more

I suppose you used the URL filtering object in your policy rule to allow the traffic? I only created the custom URL category object, I did not use it in a profile. What I want to accomplish: create a custom URL category with certain URL's in it and use that in a policy. However, in the URL logs, I still need to see the predefined category. So system A can go to the URL's in the custom category, using the using the URL filtering profile also used by the rest of the rulebase. (Our monitor checks a list of websites, both approved and denied, and alerts us when a website in unreachable or reachable. This way we get alerts for example when users can browse to adult websites. We want to restrict the access from the monitor server though, to the URL's in the customer category) Regards, Bob ... View more

We also see this problem on a system with a lot of vsys'es on 4k series. The problem is the lack of resources on the mgmt plane. The main cause of the issue is the fact that the device needs to log /a lot/ of traffic, which takes up all the resources. In our case, the best solution would be to buy new hardware. What platform and version do you have? Is the box doing user-ID of needs to log a lot of traffic? ... View more

Perhaps enable logging on session start to check if you see the logs then? When logging on session end, you will only see the log when the session end, so if there are keep alive packets send through the tunnel, you won't see a log. ... View more