About gwesson

> Wow, thats a bit hostile.   Sorry about that, it wasn't my intent. I was trying to determine if the change you made was something you got the ok with from Microsoft.   My point is that you've increased the logging retention, are using a product that reads logs by design, and works fine when you delete the logs that are only there because you've increased the retention value.   Once the firewall/agent completes the initial scan, it actually does start only where it left off. It has to succeed once though, so the logs you have might actually be ok.   Try bumping the retry/reread value considerably for the first run. Once it completes, then you could probably lower that value to get faster responses to log changes. ... View more

I'm having trouble understanding why you want 20 GB of logs on your DCs. I can't imagine you're using the Windows Event Viewer with its limitations, so I would guess you're using powershell or similar to run queries, which further would reduce the need to have them local.   Why are you handling log retention that large on a system that's operating as your domain controller? Those should be offloaded to a dedicated log server if you want to keep that many logs.   Given that you seem to stick to vendor best practices, what does Microsoft say as their recommendation for log retention directly on the DC given your user and group sizes? ... View more

It definitely works with HTTPS, but you do need to decrypt that traffic. There is no way the firewall can inspect the traffic if the data is encrypted. ... View more

There is no mechanism to export your config to MS-SQL from a firewall/Panorama. It would need to be something you convert yourself.   That's really more of a question for Microsoft, since XML is not unique to Palo Alto Networks. You're really looking for a generic XML-to-MSSQL program. Some quick googling shows a doc from MySQL (I know, not the same): https://dev.mysql.com/doc/refman/5.5/en/load-xml.html   Microsoft does have a doc on it, but it's not something I am familiar with in any capacity, so I'm not sure if it will even help: https://docs.microsoft.com/en-us/sql/relational-databases/import-export/examples-of-bulk-import-and-export-of-xml-documents-sql-server?view=sql-server-2017 ... View more

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/upgrade-to-pan-os-7-1/upgrade-a-firewall-to-pan-os-7-1   For downgrades, once you are running 7.1 you would just re-install your older version. Please note though, that there is no support for 6.1 code and content updates (antivirus, applications, threats) will not work.  ... View more

You do still get the benefits of Wildfire even without uploading data, since the hash of files is still sent. If someone else has already scanned that file, the result is provided to you without actually uploading the file itself.   You may want to talk with your account team about getting a Wildfire Appliance instead. That will allow you to have the sandbox features of Wildfire without uploading files to the cloud at all. It will definitely be more expensive than the cloud license since it's a physical appliance, but it was created precisely for use cases like yours.   https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/wf-500-wildfire-appliance ... View more

No, once you delete the logs there is no recovery option. The command immediately deletes the files from /var/log/pan/. With a linux back-end, there's no temporary deletion location, the files are simply removed. ... View more

It hasn't changed from 8.1 to 9.0, unless this isn't what you're referring to. Objects > Security Profiles > URL Filtering > {profile-name} > Pre-Defined Categories > Set any category to "Override":   ... View more

With my (limited) Apache knowledge, you don't strictly exclude specific curves but rather include only the ones you want. You would put a line in your httpd.conf (or apache.conf, or whatever your site uses). It will probably wrap when I post this, but it will all be on one line. I stole this from Apache Lounge:   SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect2...    You can also use the SSLCipherSuite directive to exclude entire suites as needed. ... View more

@SShnap wrote: > I think they should release an application list update, which add working port 443 for web-browsing application. > > I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80. > > You need to create another policy to allow web-browsing application on 443 port.   I had to hold my tongue (well, fingers) because 9.0 hadn't been released yet, but now that it is available I can share this: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/app-default-strict.html   Now, in PAN-OS 9.0, if an application has a known secure port like web-browsing, your app-based allow rule will work with application-default when decrypting. Currently the app list is web-browsing, SMTP, FTP, LDAP, POP3, and IMAP. Palo Alto Networks can update that list as well via a content update.  ... View more