About ericgearhart

If the agent traffic affects VoIP traffic, then implementing some kind of Quality of Service that can prioritize VoIP traffic on your remote sites is honestly the "best practice" here ... View more

What the heck! So you can use the iOS App, but you won't get HIP profiles with it unless you buy a portal license? Is that correct? ... View more

Having your DNS server logs forwarded to a centralized location such as a log collector appliance or SIEM, or having full packet captures to an appliance (or both!) are two things that are essential in my mind for being able to effectively research events like these. Here are two suggested ways of doing this "on the cheap" (the only cost is hardware and time essentially) For the log collector/SIEM, an open source solution I can recommended is ELSA: enterprise-log-search-and-archive - Enterprise log search and archive (ELSA) is an industrial-strength solution for centralized log management. - Google Project Hosting "ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing." For an open source full packet capture solution, I've read about openfpc: openfpc - Open Full Packet Capture - Google Project Hosting "OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools." ... View more

So the proxy's denying the traffic? Is the proxy transparent (ex. is it using WCCP?) Or do you explicitly define the proxy on your clients? The Skype client might need to be told about the proxy server in that case. ... View more

If you allow SSL and URL filtering but you don't intercept/decrypt SSL, won't that not work? Or will PA try to match based on the certificate? Also make sure you allow skype-probe too in your App column (or I guess PANOS 5 handles app dependencies automagically, so it won't be an issue). Doesn't hurt to have it explicitly defined though ... View more

Nice! Thanks for sharing your final solution. I haven't done anything with LSVPN yet, but it's in the back of my mind if/when we start deploying remote PA firewalls to some of our remote offices. ... View more

Ah I see. I was thinking of the old X-Auth method, I didn't realize a GP subscription was needed for the new iOS app. Good to see an official confirmation from PA on this. ... View more

As I understand it you only need the GlobalProtect subscription if you want to do HIP Profile type stuff when your iDevice connects. The table in that image above is misleading... you don't have to have a GP subscription if you just want to provide VPN connectivity, only if you want to do the HIP Profile matching. ... View more

nisse wrote: What release are you running? I have a few 2050s in our lab so I can have a go at it some time this week to see if I can reproduce your problem. We have two lab PA2050s... we tested with both 4.1.11 and 5.0.2 as I recall nisse wrote: As I understand you have two zones and an allow all rule on service http with one interface assigned per zone? That is correct... we used the "web-browsing" App-ID too. nisse wrote: What tool did you use for testing? We used IXIA's BreakingPoint to test. The BreakingPoint device was acting as the client and the server (two separate interfaces). We actually had a BreakingPoint engineer here during the tests as well. FYI, I would honestly love to be proven wrong! I like our PA devices, and I'm trying to push for using them more in our network designs. ... View more

mikand wrote: So to max out throughput numbers a test something like this could be performed: 1) Use a single security rule that is setup like: srczone: any dstzone: any srcip: any dstip: any appid: any service: any threat: none selected (like no IPS, AV, FILE, URL etc). options: none select (like no logging etc). We created something similar to this... I built an "outside" zone and an "inside" zone, with them bound to one interface each. I had one rule at the top of the rulebase for the test, testing from outside -> inside for application web-browsing. Also the Service column was set to "service-http." We tried with logging on and logging off as I recall... we still weren't able to get decent numbers out of the PA2050. Also we checked the switch interfaces throughout this test (show int gig1/1, show int gig1/2, etc) and they were clean throughout the testing. ... View more

My only response is another thread both of us participated in... 2050 only handles 1/4 of its advertised throughput I'm watching the YouTube video and forwarding it to my team, maybe we overlooked something (I really hope we did overlook something) ... View more

Also note as I understand it you don't need to go from 4.1.11 to 5.0.0 first, you can go straight from 4.1.11 to 5.0.3 (just make sure you have the base 5.0 image and 5.0.3 downloaded) ... View more

Just FYI support assures me that 4.1.12 will contain the high CPU fix as well... it's due out the last week of April (straight from support) ... View more