About mikand

I dont think that should matter that much bandwidth wise. Unless the PAN-agent copy the whole security log each time. Hopefully it can use some kind of pointer regarding from which row or time it want to read the log which would give that either you download (as example) 1 megabyte each minute or 16.7 kbyte (1/60) each second (if we compare setting this value to read each 60 seconds vs each 1 second). ... View more

Do you have a direct link which doesnt load on your PA with decrypt-all enabled which I (or someone else) could test with? ... View more

What about this? 1) srczone: Trust VPN srcip: telus dstzone: any dstip: any profile: URL Filtering (VPN use only) options: log on session end action: allow 2) srczone: any srcip: any dstzone: any dstip: any profile: none options: log on session end action: deny The thing is that your "allow" (which you see in the security policy) is based on ip header while url filtering profile takes care of what you will allow/block based on url. However, if I recall correctly, another method is to only have allowed urls in your URL filter profile and let the default deny in the bottom take care of the blocking. Like so: 1) srczone: Trust VPN srcip: telus dstzone: any dstip: any profile: URL Filtering (Allowed for VPN) options: log on session end action: allow 2) srczone: any srcip: any dstzone: any dstip: any profile: none options: log on session end action: deny ... View more

Amount of bandwidth needed depends on how many clients you have, how active they are and how much bandwidth you can spare on your WAN. The PAN-agent is tailing the security log of the DC's its configured to follow which with many users doing all sorts of thing in your network will be chatty. So in your case if WAN is an issue you should install PAN-agent on a dedicated server sitting in the same switch as your remote DC, or even better - install the PAN-agent straight on the DC itself. Then when you configure it you configure it to only tail the security log from localhost (the DC server PAN-agent is installed on) and as an optimization limit client ip's to the ranges which this DC will handle (depending on how your DC structure is setup - DC as in Domain Controller in this case). For better hitrate you can configure PAN-agent to query clients using WMI (will use just slightly more bandwidth but should be far less than tailing security logs over the network). Then in your PA you configure your PA to query each PAN-agent which should be far less traffic than before (because PA caches the results and the stuff the PAN-agent sends to PA is just user/ip mappings). ... View more

Verify how the file you got in return from Thawte looks like. If im not mistaken you should include any intermediate ca-certs in there aswell so the contents of the file from Thawte should look something like (I dont exactly recall the text so this is more of an example) unless im confusing this with something else: -----BEGIN PUBLIC CERT----- base64stuff of CA-cert -----END PUBLIC CERT----- -----BEGIN PUBLIC CERT----- base64stuff of any intermediate CA-cert -----END PUBLIC CERT----- -----BEGIN PUBLIC CERT----- base64stuff of Thawtes signing of your key -----END PUBLIC CERT----- Which gives if there are more intermediate certs like Thawte Root -> Intermediate 1 -> Intermediate 2 -> Your cert the content should be: -----BEGIN PUBLIC CERT----- base64stuff of CA-cert -----END PUBLIC CERT----- -----BEGIN PUBLIC CERT----- base64stuff of any intermediate CA-cert 1 -----END PUBLIC CERT----- -----BEGIN PUBLIC CERT----- base64stuff of any intermediate CA-cert 2 -----END PUBLIC CERT----- -----BEGIN PUBLIC CERT----- base64stuff of Thawtes signing of your key -----END PUBLIC CERT----- ... View more

Just as a note, if you are in real problem you should contact the support address (dont forget to update this thread once resolved) since this is just a community forum (meaning even if one can think that PA people should monitor this and on their own fire up support cases unfortunately one need to manually contact support for real help (or whatever I should call it)). ... View more

Sounds odd because using a regular webbrowser and these sites are on the internet I dont really see why PA would be the fault here (unless they use some unsupported TLS version or such)? ... View more

If your updates goes through mgmt-interface you shouldnt need to define such security policy on the box having problems to retrieve the updates. However this PA box perhaps sits behind another PA box (which then of course this second box must have such security rule). ... View more

My guess is that you should open a support ticket so this can be hunt down. Dont forget to update this thread when you get an answer back from the support because even if this is just a warning it could be good to know what the warning is about (since the message is a bit cryptic). The error comes from the FPGA handling even though my Google skillz failed to locate what DFA stands for here is some more info on the chip being using in (I think) 5000-series: Palo Alto Networks, an Industry Leader of Next-Generation Firewalls, Designs Scalable, Leading Performance Product Line usingCavium Networks OCTEON� II Processor Family Cavium - Products > OCTEON II MIPS64 Processors > Silicon > OCTEON II CN68XX Multi-Core MIPS64 Processors Edit: My Google skillz seems to have returned: http://www.scribd.com/doc/59848216/Handbook-of-FPGA-Design-Security " DFA Deterministic Finite Automaton. " And what the above means is also explained in http://en.wikipedia.org/wiki/Deterministic_finite_automaton ... View more

Why not 4.1.9 which has been out for a week now? ... View more

At least according to the release notes for 5.0.0 (regarding new networking features): " Link Aggregation – The PA-500 and PA-2000 Series devices now support link aggregation. Note that link aggregation on virtual wire interfaces is not supported on the PA-2000 Series due to a hardware limitation. By assigning common ingress and common egress zones, two or more virtual wires may still be used on the PA-2000 Series in environments where adjacent devices are performing link aggregation. " ... View more

You might have stumbled upon the following issue which was addressed in 4.1.8: " 43575 – After upgrading to PAN-OS 4.1.7, the management interfaces (web interface and CLI) sometimes stopped responding due to a conflict between the authentication and logging processes. " The above is available if you go to https://support.paloaltonetworks.com and (if logged in) click on Software Updates and then the pdf for 4.1.8 22 Sep 12: PAN-OS-4.1.8-RN-revA.pdf ... View more

Well of course you need to educate your users so the moment they think the laptop is gone should pull up their cell phone and phone the IT department so the box can be blocked or killswitch signal sent and then phone the police to issue a police report etc. The point of "pre-logon" is that only the basics are allowed through your inner firewalls. For example only thing allowed with "pre-logon" will be stuff like (which is up to you as admin to decide): - DHCP (if needed, often handled by the VPN itself) - DNS (like own limited zone) - AD (to authenticate) - AV (to update your signatures) - WSUS (to update your MS OS) and basically thats it. Not until the box is fully authenticated the user in front of the screen will have access to fileservers, mailservers etc. If the thief can stick cain and abel on your remote device without problems you have for sure other security issues with your design - and this scenario can happen even without pre-logon (dump the SAM db locally from the computer and you in most cases have the AD admin and other high level useraccounts incl hashes in front of you - use the already installed user cert to pick up the VPN and voila you are AD admin). Thats why you need other counter-measurements aswell... for example encrypt the harddrives (so it isnt just a matter of booting on Backtrack and dump the SAM db's), educate the users to phone the IT department as soon as they think their device has been stolen etc (there are other stuff to consider like the "evil maid" regarding when you use encrypted boot devices etc), dont leave your device on its own when you are outside the corporate building(s) and so on. ... View more

I guess you have already read these documents on the subject? https://live.paloaltonetworks.com/docs/DOC-2008 https://live.paloaltonetworks.com/docs/DOC-2006 ... View more

How is your device configuration regarding CRL and OSCP checks etc? ... View more