About mikand

Thinking of the following fix in 4.1.8? " 43575 – After upgrading to PAN-OS 4.1.7, the management interfaces (web interface and CLI) sometimes stopped responding due to a conflict between the authentication and logging processes. " ... View more

1. Cant one combine PBF (policy based forwarding) with a route-based vpn tunnel as nexthop? ... View more

1. See ppatel answer. You have a revertable image and you can also load other images aswell (the later will take a few minutes to complete since it will re-install the image you like). 2. I think that depends on the model and how large the drives are. I prefer to delete stuff I no longer have use for and keep only the previous (and perhaps the version before that) still on the box. You can always download the images again if needed (keeping the old images is just to not to have to wait for the download to complete in case one need to rollback). 3. You can use the maint-mode to reset the device into factory settings (the current image will be used but all settings and logs will be wiped). 4. I think its safe to use a PA box just like any other networkconnected device. The main difference (depending on which models of Juniper you used previously) is that the PA have a dedicated mgmtplane running linux. So if you just unplug the powercoard it might take a few more seconds to boot up next time due to harddrive checks. Compared to Juniper the PA main configuration method is to use the WEB rather than CLI as GUI. 5. The logs are like a cyclic buffer so oldest entries will be overwritten by default. If you need to store the logs for a longer time of period you can get a Panorama log-only installation which your PA devices will push their logs to. You can also use plain syslog to archive the logs. Also CEF is supported in case you run Arcsight. 6. Except for what ppatel already said the guideline when setting up security policies in a PA for NAT-use is: srczone: <prenat srczone> dstzone: <postnat dstzone> dstip: <prenat dstip> 7. Sorry I havent done dynamic routing with PA so I dont know. 8. See 6 above. 9. See 7 above. Bonus: If you havent seen these docs before these 2-3 docs are great in order to better learn how a PA can be used: Designing Networks with Palo Alto Networks Firewalls https://live.paloaltonetworks.com/docs/DOC-2561 Diagrams and Tested Configurations https://live.paloaltonetworks.com/docs/DOC-2560 Threat Prevention Deployment Tech Note https://live.paloaltonetworks.com/docs/DOC-3094 ... View more

Did you get any answer from the app enhancement team regarding this? I fully agree with you... even if one most of the times tries to protect clients from doing bad stuff one will also end up using a PA to protect servers from being used for bad stuff (depending on the definition of bad). ... View more

Since it takes two to tango VPN - what do you have at the other side? And if possible, could you put one of those peers much closer to your PA to rule out any interference from the network(s) in between? Also, how is your security policies setup for this traffic? And is your ipsec setup on a physical interface (which perhaps goes up and down?) or a loopback interface? ... View more

Your device is obviously malfunctioning for some reason. Did you file this as a bugreport and what did the support tell you? A similar event regarding 2000-boxes and SSL was spring 2010 (3.0/3.1.something) where the SSL engine failed in mgmtplane which gave all sort of funny results (because the MITM cert is created on the fly by the mgmtplane and then cached in the dataplane if im not mistaken). That bug was fixed a few weeks later after being reported (and debugged). ... View more

Perhaps you can get the money back for that websense license? 😉 To my knowledge PA doesnt support thirdparty url-category databases such as websense (some rumours that ICAP might show up in future but I have no idea on when). What you could do (assuming your websense is an appliance) is to put that in front (or behind) your PA and direct your webbrowsing through that box. And when the license expires for the websense box you buy a PA licens instead. Otherwise I would recommend you to talk to your sales engineer and see if PA have some sort of "replacement discounts" or such (or if you can sell whats left of your websense license to somebody else and buy that PA license instead). ... View more

Is this a local account or by radius? If its the later I think you need to login with ssh (or if it was webgui) first so the PA device will create the homedirectory for the useraccount otherwise the user cannot login over ssh (or if it was webgui). ... View more

Yeah that would suck because you are then basically locked into how it looks today. What if you set it up as vwire? I mean something like: int1: vwire towards zone vwire_tmg int2: vwire towards zone vwire_external int3: vlanX 10.x.x.x zone internal int4: vlanY 156.98.x.x zone external And then you setup SNAT/DNAT for 136.234.x.x ip addresses except for the ip's used by the TMG which the vwire would solve for you? Because with vwire it should be just like if you connected the TMG directly to the external switch/router. ... View more

Also make sure that the logged in user is allowed to perform system upgrades. If you are logged in with a user which lacks this feature you can still initiate an upgrade but after a few minutes it will fail. ... View more

Previously there were just two additional licenses one had to keep track of: - Threat prevention (AV + IPS signatures) - URL-categories (Brightcloud) But now there is also "Additional VSYS" and "Realtime Wildfire signatures"? Where can I find which other additional licenses there are nowadays (except for contacting my sales engineer)? ... View more

Is this really true? I mean if you use userid and a new user tries to setup a session then this user will not be allowed until mgmtplane is back on track and can answer the dataplane which user is using the specific ip (which the dataplane then will case for the TTL one have set)? Also if using SSL-termination then SSL-based traffic will be blocked (new sessions) because the MITM cert is being created by the mgmtplane on some models (at least on the PA2000-series)? And finally you will lose log-entries during the time mgmtplane is offline? So already established traffic shouldnt be affected, but new sessions might be affected (depending on if you use userid and/or ssl-termination). ... View more

If you have updated IOS and fairly new supervisor it should support ECMP according to: Release Notes for Catayst 4500 Series Switch, Cisco IOS XE 3.1.x SG - Cisco Systems " 8-Way CEF Load Balancing Yes Yes Yes " http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25-553133.html ... View more