About gwesson

Puffin looks like it proxies the traffic to their servers. It might even use a VPN. You may be able to use an SSL decrypt policy, but it would be a challenge to set up without a static destination address. If you have an active support contract, I would recommend opening a case so a full investigation can be done. Submitting it via the app request form is a great first step and may even be enough to get a signature created as well. ... View more

You cannot disable the DHCP log entries. You can increase the lease timer to give a much longer DHCP lease so that entries become less frequent. I also recommend saving a filter so you can show only the events that are relevant to you. I use a simple one to ignore those messages and user-id information: ( subtype neq dhcp ) and ( subtype neq userid ) Save that using the 4th button in the filter menu ("Save Filter"). Hope this helps, Greg ... View more

Yes, you're right. The certificate on the server must be the same as the certificate on the firewall for it to do the decryption. If they do not match, decryption will fail and it will pass through instead. ... View more

When you create your SSL Decryption policy for inbound inspection, you can specify the certificate. If you are asking whether you can create multiple policies that will send multiple certificates based on what the client is requesting, the answer to that is no. While technically feasible, it would require that the client send the server_name extension in the Client Hello packet - something that is not required. I would recommend requesting that from your account team as a feature enhancement. I would phrase it as "add a feature to select a certificate based on the server_name extension in the Client Hello packet". Beyond that, a wildcard certificate from a CA might be a middle ground between a single name and a SAN cert. But if you do have clients using multiple domains, the only other option would be adding additional IPs to your external interface, changing DNS to reflect those IPs for the different domains, and then having different SSL inbound inspection rules based on those IPs. Hope this helps! Greg ... View more

Since you have the PFX, you can use openSSL to convert the PFX into separate files. Get the private key from that, then you can import the private key and the joint PEM file you created (no need for the CSR then). ... View more

Hi Luc, You are correct. When it egresses outside the firewall, if it comes back in at any point on a different interface it will need to be processed again. The session details will have changed (different source and destination zones) so that will need to be evaluated in the security policy. Regards, Greg Wesson ... View more

Hi Fabio, There were several User-ID and group mapping issues fixed in 4.1.9 and 4.1.10, are you on those versions or something older? In some cases, group mappings were being eliminated when making changes on the firewall or on the AD server, in others there is a timer being used to poll group changes. Some commands you can issue in the CLI that can help pin down the issue when you are experiencing it: > show user group-mapping state all > show user group list > show user user-IDs > show user ip-user-mapping detail yes Those commands can give you a list of your user IDs and the group mappings associated with them. You also may want to check to see the timeout and logs on your User-ID Agent. Make sure that User-ID is able to read the security logs on your DC. If it cannot, and it uses WMI or NetBIOS probing, sometimes those can be unreliable. You also indicated that 193.242.41.103 can access the web. The "ALLOW WEB TRAFFIC" rule is letting it through. Check that rule, you will probably find that it is allowing outbound traffic without checking for user names. Lastly, you mentioned that support could not help with the problem. If you have an active support contract I would encourage you to open a ticket. It sounds like this would be worth investigating if you are on a recent release. Best, Greg Wesson ... View more