About mikand

The limit is rather how many concurrent ssl terminations the box you have can do. If you have plenty of SSL traffic to decrypt you might need to step up one or two models (in terms of number of concurrent ssl sessions). ... View more

This is why continous tcpdump is nice to have 🙂 First I would verify if the srcip is the same for all 302 attempts. Second I would guess they was sent with 100 or so concurrent connections which I guess could end up with an situation where more attempts has passed through before the srcip was cut off totally. I mean the attack was not (just guessing): connect login connect login ... but rather connect connect connect ... login login login .... Edit: As a sidenote most FTP servers have such "anti-hammering" as a setting like filezilla among others which I guess might deal with this better than the FW. ... View more

I guess this should be possible with the XML API. ... View more

I used google translate on your text to understand what it says so Im not sure if the answer is valid for your question but here it goes: Checkout Network > Network Profiles > Zone Protection to see various methods of "protection" against bad packets. ... View more

You can request app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. I think the above can also be used to suggest new/updated threatid's (in case the threat team somehow missed it). ... View more

What about deploying it straight at each DC and in the configuration set it to only read security log from localhost? This way the only traffic is the one between PA and each DC/Pan-agent server (which would be very little compared to when the security logs is being tailed over the network between pan-agent and each DC its set to monitor). ... View more

Check out if any of these documents might help you? ... View more

What do you mean by that the are cached by the PA device? Session offloading is as far as I understand a way to optimize resources of the FPGA/ASIC in the PA. When you disabled session offloading I assume this is done globally, did you notice any other behaviour changes when you did this (performance decrease or such)? ... View more

I would also be interrested in if someone has some more information regarding this matter. ... View more

How is your pan-agents configured? If im not mistaken you need to type something in the ipfilter field in order for the pan-agent to start pickup this information. ... View more

There are docs in the documentation area on how to setup two ISP's at once - this would be similar setup (see TFW1 as "ISP1" and TFW2 as "ISP2"). The PA cluster must "ping" each uplink to determine which way is functional. However in order for this to work without switches in between you need to do a manual full-mesh. Meaning PA1 is connected with one (or more) wires to TFW1 and with one (or more) wires to TFW2. Where PA2 have the same setup - otherwise you might end up with PA1 is dead so PA2 became active but TFW1 is still active and TFW2 is passive. As already mentioned you wont need this full-mesh if the passive unit of TFW cluster acts as a L2-device (similar to how HSRP/VRRP works). Another method is to setup PA as active-active cluster or two single boxes (however the later will most likely demand some sort of loadbalancing before the PA cluster so a specific client will use a specific PA on its way out in order to keep logs in a sane way but also for the appid and flows and stuff in PA to work properly). You could also use PA-cluster as VWIRE (without active/passive failover) to avoid routing/pbf headache 🙂 ... View more

Thats the point if you wish to allow http-only traffic. Because as soon as the traffic is being identified as some other appid it will be that appid you need to allow (or if you use appid filter then its categories of appid's). But I agree, it would be nice if the PA could identify a flow as several appid's at once instead of having only one appid per flow. So if you allow web-browsing (or lets rename it to http-only as example) that would allow everything that is using a proper http based transmission including facebook, youtube etc compared to today where you must explicitly allow facebook, youtube etc (or setup an appfilter). ... View more

Another method is to create a custom appid where you check for http-header values such as HEAD, GET and POST and only allow those. This way it will allow blank http requests if thats what you need (and blocking smtp, snmp and other stuff which isnt http). However I think web-browsing should do this. A problem with appid in PA is that web-browsing is an appid on its own. It means that once the traffic is being recognized as some other appid you must allow that aswell. For example youtube. The first request will most likely be logged as web-browsing, but soon the PA will discover that this is a specific appid named "youtube" and will handle the traffic as such. If you only allowed "web-browsing" then your traffic will suddently get blocked (unless you add youtube as allowed appid, or for that matter create an appid on your own with "loose" settings). ... View more

Also verify if you have enabled (or disabled) to log container page only: " The URL Filtering feature can potentially generate a large amount of log entries. In order to reduce the log volume, you can configure a URL Filtering profile to only log container pages. This will only create a log entry for those URIs where the requested page file name matches certain mime-types. The default set includes the following mime-types: * application/pdf * application/soap+xml * application/xhtml+xml * text/html * text/plain * text/xml You can add additional container page mime-types under Device -> Setup -> Content-ID -> Content-ID features -> Container Pages. Note that when container page logging is enabled, there may not always be a correlated URL log entry for threats detected by Antivirus or Vulnerability Protection. " ... View more