About ericgearhart

mikand - I know you're joking but that might not be fair... PA might simply not have enough QA folks to keep up with new releases and bugs. It might not be specifically "lazy/incompetent QA," it might be just that PA needs to throw more money at QA because QA is swamped with too much work ... View more

Thanks for the reply mikand... yes we were definitely trying to recreate something near the NSS Labs results. We went into this hoping that we'd be pleasantly surprised at the 2050's performance numbers given NSS Labs' numbers. ... View more

That's a weird quirk! Good catch. I think there weren't any replies just because no one expected such a weird quirk honestly ... View more

There's a GUI for Mac too apparently... I haven't test it though: vpntool - Graphical user interface for VPNC, the open source Cisco VPN client - Google Project Hosting ... View more

If you enjoy the fast paced world of Quality Assurance then 5.0.2 is for you! Otherwise stick with the 4.1 series until 5.0 stables off. Just my two cents. ... View more

This test was conducted using some pretty idealized conditions as well (as idealized as we can come up with)... HTTP GETs between a client and server, with only the PA 2050 acting as the router/firewall between the two subnets. Also we made sure App-ID caching was enabled, just in case turning that off had a performance impact. ... View more

Just FYI I was able to get vpnc working on both Linux and Mac... XAUTH works great. ... View more

Thanks mikand for the well researched and informative post... I know I was "baiting" a bit by saying that PAN claims to be "port agnostic," and you provided the great response I was hoping to see ... View more

What's your rationale for not ever using service:any? One of the selling points that PA uses is that their firewall is "port agnostic" - App-IDs can be relied upon over TCP ports The app cache pollution vulnerability that recently was an issue was fixed - they don't cache the App-ID anymore ... View more

I just tried to open each of those links to the Threat Vault in the original post, and I had to close the tabs and open them a second time for them to work (on each individual link) It seems that some sort of web session or cookie or whatever gets established the fist time the link is visited, but the page doesn't display the first time. When you hit the link for the second time the actual page displays. Sounds like a session thing to me. ... View more

Wouldn't the simple solution to this be to define a custom 'Service' named apache-subversion-nonstandard or something along those lines and define the port there, then populate the service column with that custom port definition? I get what you're saying though... if it's a common practice to co-deploy SVN alongside Apache then the default App-ID ports should reflect that ... View more

I know this sounds rather snarky and is offtopic for this particular thread, but to put it delicately I would suggest that PA ought to evolve their current definition of a "full QA testing cycle." From my own personal experience at work and some of the frustration expressed on this forum by other PA customers, there is room for improvement with regards to what is in the scope of what is tested. ... View more

The biggest gotcha with Polycom VTC devices that I have dealt with involve the device itself not being 'aware' that it is being NAT'd. Our CheckPoint firewall (our current edge firewall) actually recognizes the H.323 traffic coming from our VTC devices, and rewrites the IP address in the actual packets themselves to reflect the public IP address that our VTC devices are hidden behind. You can see this happening or not happening if you get a packet capture of the device and look at it in Wireshark - the built in Wireshark decoder shows the IP address the client "thinks" it is coming from. If you placed the device behind a DSL modem and a router this wouldn't fix your problem... the VTC device would still "advertise" itself as being behind a privately routable address, not the public IP. Even if the remote VTC device receives the traffic, the remote device is still "dumb enough" to try to connect back to the inside IP address of your Polycom, not the NAT'd IP you actually came from. This is kind of hard to explain without a whiteboard... I hope you follow what I'm saying 😕 Are there any settings on the Polycom where you can explicitly set a public IP address that should be "advertised"? Then you could statically NAT the relevant ports on your Palo Alto back into your VTC device, for this one particular remote public IP address that you're trying to establish a VTC with. I fought with this for a couple of weeks, a few months ago, so a lot of the problems with VTC are still somewhat fresh in my mind. ... View more

Very cool! Nice to see Palo Alto has their product line in eval for EAL4. Thanks! ... View more

No big deal man it's an easy mistake to make believe me! When I first started working at the company I'm now with I was new to PAN, and the service column was weird and mysterious to me. I'm almost of the opinion that there should be some kind of commit warning if the service column is left at 'any' for any rules in the policies tab that are bound to the 'untrust' zone. That's just my own humble opinion though. ... View more