About mikand

Could it be a client who configured to use HTML5 instead of flash to playback the movies? ... View more

Hopefully this thread will answer your question: ... View more

Regarding those scores, thanks 😉 Regarding those proxies another example is wildfire. Even if PA hardware design most likely cannot be used with a ICAP and then continue (that is client click on a link, PA downloads the file, sends it to ICAP, gets the response and if negative (that is nothing bad was found) it will forward the file to the client) at least not with +10Gbit/s speeds (because the mgmtplane would need to be part of this) it perhaps should be possible to make it a one way the same way as with wildfire (this way, as with wildfire, the files can be buffered by the mgmtplane and it in some extend doesnt matter if the file was scanned now or a few seconds later (due to high load)). That is client downloads file but instead of sending it to wildfire the PA device will send it as ICAP to a ICAP server. The response will then later be attached to the log. This wont bring you DLP (as in prevention) but at least DLD (as in detection) - the question here might be if this is enough (at least it would be enough for those who accept DLD)? Perhaps something for PA to consider for upcoming hardware releases? Same goes (if we speak about DLP) with that 7 bytes limit (your signature must look for 7 bytes or more)... ... View more

So how do you explain the SSL/SSH-proxy and DNS-proxy? :smileysilly: ... View more

And you dont have a testing environment available? 😉 ... View more

Actually its PA who has defined what a "Next generation firewall" is according to Gartner. But sure now when the competitors noticied they need to call their stuff "NGFW" aswell (even if they in many cases isnt a NGFW) then PA seems to have been stressed in a bad way. But I agree with kevin.thys - Im too a bit worried about the degree of bugs and malfunctions that are being found in the PA product line (or rather PANOS line). Or rather that these bugs/malfunctions are still there in RELEASE code and in multiple cases also still present even if the devteam claims its fixed. Im thinking of the lately QoS-bugs aswell as the 100% cpu on the mgmt-plane. Would be interresting if some official comment could be made from a PA representative in this thread regarding how the QA process is or will be improved. Whatever was done last summer (when it is claimed that developing was halted and focus was put on fix issues/bugs in currently releases) doesnt seem to have been enough. And currently things like this will be used as an argument against choosing PA which I find is troublesome (specially in situations where PA would replace another vendor in a design where it in many cases is easy to forget current issues with the current vendor for those who like that vendor for one reason or another, for example that Checkpoint cannot deal with NTLMv2 Identity Awareness Wizard authentication fails is put aside because "AppID in PA doesnt work anyway" according to the youtube video Checkpoint presented last christmas (even if PA was fairly fast to fix this issue)). ... View more

Hmm yeah this seems to be the (currently) only proper and practically usuable way to deal with a situation where one would need to block plenty of ipaddresses. It also has a name 🙂 RTBH - Remotely Triggered Black Holes http://tools.ietf.org/html/rfc5635 http://tools.ietf.org/html/rfc6666 http://packetlife.net/blog/2010/aug/23/source-based-rtbh/ https://www.inex.ie/rtbh http://www.netnod.se/files/download/453 You would most likely need to up the "maximum-prefix" in your BGP-settings like so (and use a device which can store and use +200.000 routes): neighbor x.x.x.x maximum-prefix 250000 Which gives - how many routes (through BGP) can various PA-devices deal with? ... View more

I can only see a description for this in the PA-5000_Hardware_Guide_RevB.pdf page 19: CAUTION: For a DC system, use a grounding wire of at least 14 American Wire Gauge (AWG). The 14 AWG wire should be attached to an agency-approved crimp connector (Tyco 34120 or certified Lug), crimped with the proper crimping tool and attached to the protective grounding lug, using a size #8-32 nut and a star washer (supplied), on the chassis with the other end connected to the building ground. Torque the nut to 15 in.-lbs. Do not over tighten. ... View more

Yes in this particular case using some kind of IPS signature to trigger the DoS-protection is probably the way to go. But then what? How many ip addresses can the PA dynamically block by the DoS-protection feature? Doesnt it too have the same limit of max 25.000 entries on a PA-5000 series box? Which brings me back to the original question - ignore the wordpress thingy. The use-case is that you need to block 200.000 /32's - how the hell are one supposed to do that nowdays without a major performance drop (and that is without putting 8 x PA-5000 boxes in a line :smileysilly:)? ... View more

Sorry about that... But in this context it doesnt seem to matter if you use a dynamic address object or a dynamic block list - the limit is still 25.000 ip addresses on a PA-5000 box, isnt it? ... View more

Isnt it possible to create a deny without a blockpage? ... View more

Sourcenet has some paloalto-related tools on play-store but I doubt its this one which the press release is referencing: Mobile User-ID Beta1 - Android Apps on Google Play ... View more

Thanks for the suggestions but the main problem remains - how to efficiently block shitloads of ip-addresses? The maintenance of the address-list is fairly simple - create a sql-table and use the export function to dump the addresses in sorted order into a txt-file on your webserver when needed (and if you got some time create a web-gui to make it easier to search and handle the db). And with the help of the dynamic block list will make the life easy for the admin - with the downside that not even the PA-5000 series can hold more than 25.000 addresses... The problem is that there doesnt seem to exist any hardware today that can load these +200k addresses and filter them without any noticable performance-drop (for example iptables works up to approx 30-40k). A fugly workaround might be to use a couple of 48 int cisco switches (given that it can do 1k ACEs per interface), setup 24 VLANs on each and then just a bunch of networkcables to connect the VLANs in serial with each other. You would need about 400 interfaces (200 VLANs) but you would solve the problem (or about 10x boxes running iptables)... which seems odd to me that in year 2013 the network hardware is still very limited in this area. I mean the TCAMs used 1k ACE's in the 90s and they still seem to have the same limit today while computing overall is way faster and have way more memory today than back in the 90s :S How is the geoip stuff handled within a PA device? Could that be used to put all these 200k addresses into a single country named "blacklist islands" and then just create a single security policy where you drop any traffic where srcip = country(blacklist islands)? Or for that matter setup a security police which use FQDN (srcip = blacklist.example.com) with roundrobin (and the roundrobin is a list of 200k ip-adresses)? :smileysilly: ... View more