About gwesson

The graph is a bit confusing, so that's where the issue is. App override traffic does indeed skip content inspection unless you're overriding it to a pre-defined app.   Note that the diagram you referenced has "Content inspection setup" on the green Application Identification section, not actual content inspection. The "setup" is to do the tasks it lists: - Setup SP3 if security profile is specified - set session to discard if security rule action deny - set QoS class from QoS policy lookup It still has to do those things, even for app overridden traffic.   If you follow that box down to the next one ("Application is SSL and decryption policy match?"), the result is No, which moves us back to the pink/salmon FW Fastpath block.   There, it has another yes/no box "Content inspection applicable?". When you do app override, the answer to that is No, which skips all of the SP3/CTD (blue) box and moves to packet forwarding at the bottom. ... View more

Hop into the CLI on the firewall when you're ready to try updating Chrome. Find out your IP as seen by the firewall, then show the sessions that got denied by doing: > show session all filter source 192.0.2.1 state discard   When you find some in discard state, you can then show the details of that session to show you what rule it hit: > show session id 123456789   That should help guide you to the traffic being denied/broken. ... View more

Did you actually reserve those IPs out of the pool? If you've given the DHCP server on the firewall the full /24, but some devices are already staticly defined and the firewall isn't aware of that, you'll hit this problem.   Instead of giving the /24 for your IP pool, you'll want to supply only the IPs that are not already reserved.  Just use a range for the first and last sets of IPs, such as:   192.168.1.1-192.168.1.35,192.168.1.66-192.168.1.254   ... View more

@Remo my bad, you're right. Sorry about the confusion! ... View more

You can avoid hammering the server with requests, it's all loaded client side anyway.    Just open your browser's developer tools (while preserving the log) and refresh the main Applipedia page. The object is GetApplicationListView. Parsing it is left as an exercise to the reader, but that should give you the full table.     ... View more

First thing - you should really upgrade both code versions you're running. 7.1.8 was released in February of 2017, you're almost 2 years out of date. 8.0.8 was released in February of 2018, so it's better but still  risky to run.   Both versions have critical and high risk security vulnerabilities: Critical: PAN-SA-2017-0027 (fixed in 7.1.13+)   High: PAN-SA-2018-0008 (fixed in 7.1.16+, 8.0.9+) PAN-SA-2017-0028 (fixed in 7.1.13+) PAN-SA-2017-0025 (fixed in 7.1.12+)   That said, the simplest way would be to use the Expedition Migration Tool. It's not supported by Palo Alto Networks support, but the community is very active and your account team may be able to assist as well. Some more complex but stand-alone methods would be to export your running config and modify the device groups in question. You could also script it and use the API to update each of the rules. ... View more

You can also grab one on Azure/AWS.    AWS has a bundle for about US$1/hour that will let you play with most things on the firewall without having to do a dedicated lab. I think Azure is similar, but haven't set it up myself yet.   It might not be exactly what you need, but might be a cheap way to get your feet wet with the platform.   https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314 https://azuremarketplace.microsoft.com/en/marketplace/apps/paloaltonetworks.vmseries-ngfw?tab=Overview   ... View more

Link Aggregation without LACP uses a session hash to load balance over the member interfaces for that group. It uses the full bandwidth available in the group.   The risk of this is that if you don't use LACP and one of the member interfaces goes down, sessions will continue to be forwarded to that interface (based on the hash), blackholing traffic.   So you can do it, but I wouldn't recommend it 🙂 ... View more