About mikand

If you want to limit which FTP sites should be possible to visit you need to use FQDN or setup a dynamic address object which you then "feed" by a script running on some server (to inform the PA device which ip addresses this current adress object/group should point at). ... View more

You can already today use FQDN's even if I wouldnt recommend this (because this way if the attacker can alter your DNS then they will be able to alter your firewall rules aswell regarding srcip and/or dstip. You can also use dynamic address objects and "feed" your PA devices with info (from the DHCP server for example) of which device has which ip (mainly used for VMware but also handy in other situations aswell). ... View more

The downside of putting the PA between the client and the proxy, that is: Client <-> PA <-> Proxy <-> Internet is that the PA will only detect the "outer" application and that is "http-proxy". It will not detect whatever the client is actually doing such as youtube, facebook etc (however url-filtering will still work if im not mistaken). Another drawback is that ssl-termination (decryption) will most llikely not work so you will be blind for SSL traffic aswell. Is it completely impossible for you to set it up as the following instead? Client <-> Proxy <-> PA <-> Internet Because this way, given that the proxy is configured for keepsource=yes (or "reflect client ip" or whatever it might be called - that is packet sent from Proxy has the client ip as srcip) you can use UserID out of the box (that is for example if the clients are part of an Active Directory or such which the UserID then can get a mapping from through PAN-agents (either local in PANOS 5.0 or dedicated machines running PAN-agents (which can also be runned directly on the Domain Controllers))). AND you will at the same time be able to use ssl-termination along with proper appid's. In the above example any NATing will be performed by the PA aswell (unless you have some other box closer to the Internet that does this for you). ... View more

Even if not all 10.000 employees would browse at the exact same moment the thing to watch out for is the SSL-capabilities (which if you ask me is a must nowadays). If you just look at the bandwidth (assuming 1Gbps uplink) a PA-3050 or even 3020 "should" be enough - but if you can afford a PA-5060 then why not 🙂 Specially when the difference regarding concurrent SSL sessions are: (SSL decrypt sessions) PA-5060: 90.000 PA-5050: 45.000 PA-5020: 15.000 PA-3050: 15.360 PA-3020: 7.936 ... View more

Nice find! *saved* ... View more

Another thing is to perform whitelisting and make that hole as narrow as possible. For example: 1) Enable ssl-termination (not allowing traffic that cannot be terminated). 2) Blacklist appid's and app-groups you dont want to allow. 3) Blacklist url-categories you dont want to allow. 4) Whitelist appid's and app-groups you wish to allow. 5) Whitelist url-categories you wish to allow. 6) Default deny and log on session end. Using PANDB will most likely be more granular than the Brightcloud DB (that is not only domain but also part of the URI/URL aswell). The blacklists should be as large/broad as possible while the whitelists should be as narrow as possible. The point of placing whitelist AFTER blacklist is if you for example end up with a sitation such as: you wish to block www.example.com/badside but allow www.example.com in general. Since PA uses top-down first-match the url with www.example.com/badside would be blocked with above. If you had whitelist first then the badside would have been allowed. ... View more

I always end up with visiting PA-5000 Series and then click on the platform specsheet for the model im interrested in. But it would be great if the informaiton could be compiled into a single sheet ... View more

If you have security policies which uses userid and/or urlfiltering (that is categories from Brightcloud or PANDB database) new sessions which hits these rules might be affected during the reboot of the mgmt-plane. Note however that current userid's are cached in the dataplane aswell so it would be if a new user shows up during this reboot, then this user would most likely have its traffic blocked during the reboot of the mgmt-plane. Already known users are cached in the dataplane and would not be affected of that reboot. Also note that for obvious reasons you wont have any logging while the reboot is in progress. ... View more

Also instead of altering the registry try to use this cmdline instead: netsh int tcp set global timestamps=disabled http://technet.microsoft.com/en-us/library/cc731258%28WS.10%29.aspx#BKMK_6 You might need a reboot afterwards aswell... ... View more

Not that im aware of. Disabling timestamps should be done at the endpoints if you want to block timestamp information. Easy to do in a linuxbox: echo "0" > /proc/sys/net/ipv4/tcp_timestamps Did you reboot your windowsbox before you did the new nmap test? Also verify with pcap so the uptime which nmap picks up isnt from some application running on your server. The "no ip tcp timestamp" is usually for traffic that the cisco device itself generates (such as stuff from its mgmt-interface etc) and not for traffic that passes through. However note that timestamps are part of "high performance tcp" if I remember it correctly so disabling timestamps could in some situations be bad (http://www.ietf.org/rfc/rfc1323.txt). ... View more

A DC shouldnt be needed at remotesite for the userid to function. The question here might instead be if the ip address the client at remote site uses is the same ip as your PA device will see (that is no NATs on the road)? Because what happens with userid is that the PAN-agent will tail the security log of the DC-servers and trigger on these EventIDs: Windows 2003 DC: - 672 (Authentication  Ticket Granted, which occurs on the logon moment) - 673 (Service Ticket Granted) - 674 (Ticket Granted Renewed which may happen several times during the logon session) Windows 2008 DCs: - 4768 (Authentication Ticket Granted) - 4769 (Service Ticket Granted) - 4770 (Ticket Granted Renewed) and by that create a userid <-> ipaddress mapping database. When you enable the userid feature of the interfaces facing the clients in your PA the PA will use this userid <-> ipaddress database to find out which userid is currently using which ipaddress. ... View more

You cant setup your syslog-server to send these emails when the particular log-entries flashes by? ... View more

Thats somewhat not true... If you use security policies which uses userid and/or url filtering a restart of mgmt plane will affect new sessions which otherwise would hit the particular security rule and its action (if its allow or deny). ... View more

Have you tried contacting the appid team and what was their response? http://researchcenter.paloaltonetworks.com/tools/ Even if PA doesnt support rewriting then it should still be possible to use appid to handle these safesearches. Specially with PANOS 5.0 who have done some work regarding appid dependencies (that is lets say you have a "google-safesearch" - instead of only looking at the url this appid could first allow a regular visit to google pages but then that the search result must be with safesearch in order to let through - the problem here might be on how to notify the users that they should enable safesearch before they can use the searchengine (since you can only have one blockpage today)). ... View more

Sounds like a case where you should contact the appid team and submit this as a request: http://researchcenter.paloaltonetworks.com/tools/ They will most likely want some pcaps of these failing sessions aswell. Or if you have a supportcontract you wish to try out take it that path instead 🙂 By the way, have you tried taking some pcaps of these clients when this problem surfaces? I mean if there is something obvious going on in there by just looking at the traffic (that is that it actually is http-audio which youtube sometimes tries to send to these clients)? ... View more