About Maxstr

No I haven't tried that yet. Thanks for the info ... View more

So what is the point of the "vmware-view" app-id? I thought that was supposed to identify this traffic ... View more

Yes, I've added SSL to the permitted apps. I had it set to application-default.   When I set service to "Any", it works. But it still shows port 4172 as SSL. ... View more

It is caused by "certificate pinning" (HPKP). Currently both Firefox and Chrome support this, and there is no way around it besides whitelisting pinned domains ... View more

It is a virtual machine, Win2008 R2, with 1vCPU and 8 GB ram. I was hoping not to throw more resources at it, especially since there are a total of 4 domain controllers. The other 3 do not seem to have this issue with the amount of logs, which leads me to believe there may be a configuration issue ... View more

Yes, I started using the firewall agent after the standalone agent stopped communicating with the PA. For some reason the PA doesn't appear in the list, and I have tried re-installing it ... View more

Well, with Chrome, I have the PA cert imported as trusted publisher, root, etc. But, even if Google.com is in the decryption profile, Chrome itself ignores the Palo cert. I go to google.com or YouTube.com and look at the certificate, instead of my cert, it's google's own cert. But all other websites that use SSL do show my cert correctly, so I know it's working. It's only HPKP (or it might just be google's own sites).    As for Firefox, I'm using the latest version on my test machine. While I can easily make any conf changes here, the main issue is that there is no practical way to add certificates to Firefox on an enterprise-scale. It doesn't use GPO, so the cert has to be manually added to each installation. Then it wil work with "normal" websites and I verified that it decrypts. But it will not work with HPKP, unless each Firefox installation is manually changed with that setting you mentioned earlier (which I haven't had a chance to test yet).   Chrome isn't the main issue, because it just overrides the PA cert and allows the user to pass without a warning message. I'm not too concerned about decrypting Google's websites.   Firefox on the other hand, presents a hard security warning and prevents bypassing it.  ... View more

@cpainchaud wrote: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning   Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). Not quite sure what that means. I've added the PA cert into Firefox as both trusted root and in personal store (and whatever the other options are), but it still blocks it. ... View more

Yes, root DNS lookups are still happening, from the same DC and the other DCs. But they no longer have the PA service account attached to them (they just show no user account) after I've disabled the UserID agent application on that DC. Why does the PA generate so much root DNS lookup traffic? What is it looking up that isn't cached on our local DNS servers? I have DNS Packet Capture enabled in the Objects>Anti-Spyware profile, but it's not capturing the DNS packets. ... View more

I've disabled the User-ID agent installed on that domain controller, and I don't see the PA domain account doing root DNS lookups anymore. Now it's not showing any user account linked to the root DNS lookup traffic, which I believe is normal. However, I also don't have that DC in the UserID config now. I have 3 other DC's in the User-ID config, why would this happen on only one DC? They are all in the trusted zone, and the only difference is that the 3 DC's do not have the agent installed. ... View more

Yes, it's set for my trusted zone only. But I'm not sure if I accidentally swapped the trusted/untrusted physical ethernet connections (I have it currently configured as virtual wire and allow all both ways). Could that potentially be the issue? ... View more