About ericgearhart

mikand - the high management plane CPU issue that is fresh in my mind is from the use of the User-ID agent, and that fix is in 4.1.12 (not out yet - we're upgrading to 4.1.12 as soon as it gets GA released) ... View more

Doris, Some kind of an "this is what we're doing to ensure this doesn't happen again" explanation would be much appreciated... otherwise, what are we as customers expected to do? Only do content updates once a week? ... View more

I have not built an ELSA myself (yet), but I often look for open source solutions to problems that I've had in the past when I worked under a shoestring budget (or a nonexistant budget!) I built an rsyslog/phplogcon box at a previous employer I worked for who had basically no budget, but if I had the opportunity to "do over" that implementation and ELSA was around, I would have at least taken a hard look at ELSA. Unfortunately where I currently work we use a commercial centralized log / SIEM solution that works great for us (and that we've invested a lot of time into), and our PAs log to that. My suggestion was the "on the cheap" way of getting near commercial value out of an open source solution to the same problem. ... View more

There's one big solution that I haven't seen mentioned here yet... the best part is it's free (well, the cost of the hardware to run it on and the time to set it up are the only expenses). Set up something like ELSA and send your logs from your PA to it! https://code.google.com/p/enterprise-log-search-and-archive/ ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing. Features: High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained) Full Active Directory/LDAP integration for authentication, authorization, email settings Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets Dashboards using Google Visualizations Email alerting, scheduled reports Plugin architecture for web interface Distributed architecture for clusters Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare I would even go so far as to offer to help you build a parser/normalizer for Palo Alto firewall events ... View more

Just FYI I believe the 'upgrade first to 5.0' rule applies when you're jumping more than one version...  I think to go from 4.0 to 5.0 you first need to upgrade from 4.0 -> 4.1 then on to 5.0 ... View more

Do you guys have any updates on why 5.0 was affected but 4.1 wasn't? It's really curious why the update affected one version and not another. ... View more

I just updated to URL Filtering content release 4059, and did a 'debug software restart device-server' followed by a 'clear url-cache all' and the issue seems to be resolved. ... View more

I'm assuming you work for PA... do you guys have appliances running 5.0 that you can try to recreate this issue with? I have a PA4020 running PANOS 5.0.3 with URL Filtering update 4058 that exhibits this issue (only custom URL categories show up with the correct category). I also have a PA5020 running PANOS 4.1.8 with URL Filtering update 4058 that does not exhibit this issue. ... View more

Just FYI... I have a PA4020 running 5.0.3 and I have a PA5020 running 4.1.8. The 4020 running 5.0.3 is affected by the "unknown" category issue. The 5020 running 4.1.8 seems to be unaffected... categories seem to be working fine. ... View more

I have a PA4020 running 5.0.3 and I have a PA5020 running 4.1.8. The 4020 running 5.0.3 is affected by the "unknown" issue. The 5020 running 4.1.8 seems to be unaffected... categories seem to be working fine. ... View more

Don't the PA appliances check in to and receive their BrightCloud updates from PA servers? If that's the case then PA is on the hook for this. If the PA appliances reach straight out to BrightCloud for their updates then I agree, I'm more inclined to give PA a "pass" on this one ... View more

I believe the recent trainwreck involving today's BrightCloud update that essentially broke all URL categorization (all URLs are categorized as unknown) speaks volumes about 5.0's readiness for production. I believe only the 5.0 codebase was affected.. I haven't seen anyone complaining about 4.1 having the problem. All sites registering as "unknown" mmartin wrote: Came in today with users screaming that they were getting blocked on all websites.  Finally extracted enough information from them that the category was coming up as “unknown” for all sites…even Google.  Decided it had to be an issue in the URL filtering…updated to latest Brightcloud…no change. ... View more

If you could get a full pcap of this thing (outside of the PA - I mean the "old fashioned" way, by setting up a SPAN port on your switch or using an inline tap) that might help with figuring out what the heck the firewall is doing. ... View more