About mikand

You mean find samples to test the function? Malc0de ... View more

Slightly off-topic but I guess this is the thread you both are refering to ? 🙂 Want some examples why NSM is a piece of junk? - J-Net Community ... View more

As a sidenote, did this feature work in 5.0.3? And do you have a bugid available for this case? ... View more

That is because if I disable access to the logs for this particular user I wouldnt be to happy to see that this user can still backdoor into this loginformation via widgets, or the REST api or whatever other entrypoints towards the logs there might be. ... View more

Did you refresh your contact with PA so it isnt that somebody is on vacation, sick or even left PA all together or such? Regarding 2000 series, if I would about to buy some new gear I would look at the 3000 series instead of the 2000 series. Much better commit times and better SSL decryption performance (in terms of concurrent ssl decryptions) aswell. And in case 3000 isnt enough I would go for 5000 series. ... View more

Have you filed this as a bug to the support? I have seen some threads aswell in this forum regarding VPN issues which seems to be fixed when you recreate the VPN settings. One of the issues I think was when the order of where the VPN settings are placed within the running-config file was changed between two releases. Is it possible for you to do a diff between the faulting config and the config which now works? Im thinking of if some naming standards has been changed which wasnt pickedup by the conversation scripts (which I assume exists when you go from one version into another?). ... View more

Also, as debugging, create a new profile where you set everything to alert that is: Critical: Alert High: Alert Medium: Alert Low: Alert Informational: Alert and then create a new security rule (only for this particular srcip or if its dstip in your case) above the current one. In this new security rule attach the new vuln profile from above. Now you should hopefully see what is being identified for this traffic flow. If you are not comfortable with setting all levels to Alert you can set them to Block (since this is just debug) - blocked traffic should be logged if you have set the "log on session end" (I guess "log on session start" wont pickup any threat). However isnt the Threat log on its own not depending on what the security rule itself is set to? I mean I though the security rule was regarding Traffic logging. If a vuln should log or not is set in the vuln profile itself (such as Alert means log only while Block means block and log, while Allow will not log at all (for this you use Alert instead)). ... View more

I guess the dashboard isnt more grunlar than enabled/disable according to the manual: set shared admin-role <name> description <value> role device webui dashboard {disable | enable} What about if you do the other way around? Create a user which has everything disabled except the "dashboard" which is enabled, will this user still be able to view the logs through the widget? If yes I think you should file this as a bugreport. I agree with you that even if the dashboard itself has its own role it should still not allow the user to "backdoor" into various information such as the logs (if the logs are disabled for this user) through the log widget. ... View more

Another thing to take into account is if you will be performing ssl-termination (highly likely if this box will face Internet) since the concurrent ssl decryptions varies between the models. For PA-5000 series its (if I recall it correctly): PA-5020: 15000 PA-5050: 45000 PA-5060: 90000 A way to "bypass" this, if you have two boxes, is to configure the two boxes independently and then use some loadbalancing before/after the PA-pair. So half of the clients goes through one box and the other half through the other. ... View more

I guess everything else is running? If you need to have it back on track I would suggest to try to reboot just the device-server (mgmt-plane) - but if its not critical its better if you can contact the support so they can see this for themselfs before restarting any processes. There is supposed to exist a watchdog which should automagically restart crashed processes so this might be due to something else, like a db or even hdd-crash (that is partition holding the particular table which threatlogs ends up in) or such? ... View more

If you create the cert within the PA box then this will become your dedicated CA. In this case I would recommend you do two exports: 1) Public and Private key as p12 (with passphrase) - store this safetly offline. This is a backup of your public/private keypair. If you use HA this export should be imported on the other PA device. 2) Public key as p12 (with passphrase - best practice if you ask me), or as PEM if you like. This one can be stored online and its this public key which you will by GPO "install" on the clients as "Trusted CA" (or manually install on boxes which are not part of your AD). The point of installing this public key as trusted CA is to avoid getting warnings in your browser that this ssl session cannot be trusted (that is if you didnt install this public key as trusted CA). Other methods is to use openssl to create this "CA-cert" (or rather selfsigned cert where private and public key is put into the PA device and the public key put into the clients "Trusted CA" container). If you need a GUI then TinyCA2 is a great help: http://tinyca.sm-zone.net/ http://www.ghacks.net/2009/09/16/create-your-own-certificate-authority-with-tinyca/ That is as long as you dont have any corporate policy on how certs that are being used or trusted by your clients should be created (like using an offline HSM setup etc). In this case things like OSCP/CRL is not needed which gives that you wont "need" a PKI environment to generate the CA cert being used for termination - using PA builtin method to create this by the PA box itself is all what you need (function-wise). ... View more

1) Do _NOT_ export the private key. The client should _ONLY_ have the public key of the CA being used. 2) In short PEM is the certs/keys in "cleartext" while p12 is a package which can have a passphrase before you can read its content. 3) I would recommend you to setup a dedicated CA to be used for termination. The public key of this CA can be deployed through GPO to the clients. I think there is a technote somewhere around here describing what and how to do the GPO magic. A thing to consider (performance-wise) is the keylength you wish to use for this CA. 512 bytes is good for performance but often not good enough security-wise. However this cert is only being used on your internal network that is between your PA and your clients which gives that you wont need 16384 bits for this keylength but 4096 or 2048 should be enough (or if possible 512). The longer the key is the longer it takes for the PA to setup the SSL with the client (or rather for the client to setup the SSL with the PA). Edit: Here are the SSL-docs I had in mind: ... View more

Also check with the supplier if a discount is possible for replacement of your 2000 boxes? That is so you wont have to pay the full price of a new pair of 3000 boxes if you return the 2000 boxes at the same time. The 500 series has a ram upgrade available (which lowered the commit times with about 30% or so according to posts in this forum) which unfortunately doesnt seem to be possible for the 2000 series. ... View more

There is a debug command to list all appid's within a PA box, could this debug command be extended to also be able to display current decoders? ... View more