About ericgearhart

I hear you, and honestly I want PA to succeed. I like the "story" of the little guy with the game-changing and revolutionary ideas winning (as the oldest example i have of that, I got on board with Linux around 1998, when I was like... 15). I just want them to improve the QA process, test these new features, and ultimately not make me look foolish for 'cheerleading' for them at work. ... View more

rk - we're waiting for the DHCP NACK fix to be backported before we upgrade to 4.1.11 or 4.1.12... we're waiting on 4.1.13 (assuming the DHCP fix makes it in) before we do the upgrade. ... View more

... vote with your budget... change firewall vendors. Sad but true. Where I currently work, the Palo Alto QA missteps we have seen are causing us to seriously reevaluate our firewall strategy. ... View more

Go look at your config audits and compare the versions! I wonder if the way that PA tries to "overlay" diffs was flaking out in this case. A "full commit" might have fixed it too. Hm. ... View more

Nice! Nice writeup. You could make a DOC- for this ... View more

I'm running 4.1 right now... we're taking a "wait and see" approach on 5.0 right now. You might have found a bug in 5.0's DHCP implementation possibly.... ... View more

Just for the sake of searching the forums and finding this thread in the future, I think this is the equivalent to Cisco's ASA commands: clear crypto isakmp sa (or 'clear cry isa sa') clear crypto ipsec sa ... View more

In-house here we have a PA doing DHCP that crosses a subnet boundary just like you're trying to set up... let me take a look at what netmask the clients are getting from our PA as well ... View more

If that's the case then this sounds like a bug to me... in theory the CIDR notation on the pool assignment should be parsed and the PA should 'figure out' the netmask to dole out to client. Just my two cents though. ... View more

Could you set the IP space to the /16 you want, and then define specific reservations for the IP space you already have allocated? ... View more

This is one of the things that truly irks me about Palo Alto's IPS/IDS implementation... I have had a lot of experience with Snort/Sourcefire IDS products, and one huge leg up over other implementations I've seen in Sourcefire's Snort is the fact that the rules are easily browsable (except for very specific situations, where "shared object" rules were written to obfuscate the rule so that the rule can't be analyzed and have an exploit written for it - that's a corner case though). It's very easy to determine if a given rule that fired off is a legitimate event or a false positive, because I can look at the rule that generated the event with a PCAP open along side the rule, and determine if this traffic match was a false positive or not. Both Check Point and PA should really "get the memo" on this... we as network security folks need to be able to see not just that some proprietary thing determined that there was "bad network traffic," but to see how the rule/signature was actually written. ... View more

Here's the first issue I've seen... he's going from 4.0.5 to 4.1.12 though so it's kind of a big leap https://live.paloaltonetworks.com/message/26615 I'm still waiting for the DHCP fix we were promised before we go to 4.1.12+... it's slated to appear in 4.1.13. ... View more

Hmm. I suppose. I wonder if doing a factory reset and then importing a config should be more or less a "best practice" then... ... View more