About mikand

So one cant use SSL-decryption for itunes and appstore traffic? Other than that I think the url-filtering will also take a look at the CN part of the cert being used so even if it cannot decrypt the traffic (like the case of windows update) it can still (sort of) figure out the url being used. ... View more

Could it have to do with this case which was resolved in 4.1.8? " 43575 – After upgrading to PAN-OS 4.1.7, the management interfaces (web interface and CLI) sometimes stopped responding due to a conflict between the authentication and logging processes. " ... View more

As a sidenote regarding SPDY Kaspersky Anti-Virus 2013 use the following settings: Settings -> Advanced Settings -> Network Encrypted connections scan Scan encrypted connections: enabled Use HTTP instead of SPDY protocol: enabled The application does not apply heuristic analysis to data transferred over SPDY. ... View more

I dont think PA currently supports 1 to many NAT meaning (for example) incoming TCP80 is nated to two or more servers on the inside. ... View more

A current list seems to exist at https://live.paloaltonetworks.com/docs/DOC-1423  and was last updated 29th may 2012. ... View more

Is it possible for you to connect a Cisco 2960 or such to get a second opinion and use snmp against that device to find out the actual raw throughput (along with monitor the uplink port and save that stream as tcpdump to see how much raw data is actually being pushed)? ... View more

By the way how is that "ssl-exclude-cert" handled when you set a decryption rule to always decrypt everything (and block stuff that cannot be decrypted)? I strongly dislike equipment doing something hidden which isnt visible in the ruleset. ... View more

Which hardware and how many? Do you run them in active/passive or active/active (or nothing)? ... View more

I think that should work as long as your Alcatel devices can form some sort of "virtual chassis" or other method so they can form a single aggregated link even if they are 2 or more physical devices. ... View more

According to the admin manual: " Device > Setup > Session ICMPv6 Token Bucket Size Enter the bucket size for rate limiting of ICMPv6 error messages. The token bucket size is a parameter of the token bucket algorithm that controls how bursty the ICMPv6 error packets can be (range 10-65535 packets, default 100). ICMPv6 Error Packet Rate Enter the average number of ICMPv6 error packets per second allowed globally (range 10-65535 packets/sec, default 100). This value applies to all interfaces. " " Network > Network Profiles > Zone Protection Flood Protection Thresholds - ICMPv6 Flood Alarm Rate Enter the number of ICMPv6 echo requests (pings) received per second that triggers an attack alarm. Activate Rate Enter the number of ICMPv6 packets received per second for the zone that causes subsequent ICMPv6 packets to be dropped. Metering stops when the number of ICMPv6 packets drops below the threshold Maximal rate Enter the maximum number of ICMPv6 packets able to be received per second. Any number of packets exceeding the maximum will be dropped. " The stuff in device session only seems to monitor error packets while the stuff in zone protection is echo requests for alarm rate and all icmp packets for activate/maximal rate. So a followup question might be shouldnt the token bucket size always be equal or larger than the error packet rate (since they both act on the same type of packets)? To me the natural setting to display this statistics would be "show counter", but the manual isnt really clear of what all suboptions might bring you. Perhaps "show counter category fpga" could display these values? ... View more

Cant you just setup a custom category like iTunes_and_App_store containing: albert.apple.com ax.init.itunes.apple.com ax.itunes.com deimos3.apple.com gs.apple.com guzzoni.apple.com itunes.apple.com p22-buy.itunes.apple.com phobos.apple.com se.itunes.apple.com su.itunes.apple.com and then setup your rules like: rule1 {         from L3_Trust;         source any;         source-region any;         to L3_Untrust;         destination any;         destination-region any;         user any;         category iTunes_and_App_store;         action no-decrypt; }   rule2 {         from L3_Trust;         source any;         source-region any;         to L3_Untrust;         destination any;         destination-region any;         user any;         category any;         action decrypt; } ... View more

You mean one cable to Box1 and one cable to Box2 which then on the other end forms a single aggregated link? ... View more

I cant answer your particular question but if you are worried about PSU issues then you should get two boxes and make sure they utilize different PDU. Another option is to get an ATS (Automatic Transfer Switch) which will also be healthy for any other equipment such as ethernet-switches which normally only have one PSU: http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/ElectricalDistribution/ATS/index.htm Rack-mount Transfer Switches - Product Information ... View more

What is your settings of the pan-agent installations you run? Everything from TTL's to if serverlogs are being followed along with wmi query of the clients? ... View more

I dont know from where I got that PA-200 would be fanless... Trying to dig through the specsheets but no words about it there, however PA-200 is speced operating temp at 0-40C while all the other models have 0-50C. ... View more