About mikand

According to some docs the following eventid's are being monitored for by the pan agent: Win2003 DCs: 672 673 674 Win2008 DCs: 4768 4769 4770 So I find it interresting that your eventid 4624 would have something to do with this... has the pan agent been updated to cover even the 4624 events for some odd reason? ... View more

I totally agree 🙂 However, if Andre puts this as a feature request through his sales engineer I think its doable to have a checkbox in the http line if the http should redirect to https or not. Another feature request at the same time would be to be able to use custom ports for incoming mgmt stuff such as http, https, telnet and ssh. ... View more

Just guessing here, could service route configuration affect how the dhcp update is being sent? ... View more

Regarding your initial problem the timeout in PA should not occur as long as there are traffic being sent in either direction. So a question here might be why this streaming app obviously stops sending packets on its own so a timeout occurs unless there is something else malfunctioning on the road? Edit: Or is there some kind of "max life" timeout aswell (to deal with slowloris etc)? ... View more

Why not? Since the whole idea of SFP+ is to allow backward compatability with SFP-interfaces, or did I get this wrong (yeah I know some bad manufacturers doesnt support SFP in SFP+ slots)? ... View more

Checkout these docs for inspiration: ... View more

Yes, check out these templates made for Cacti: ... View more

Hopefully these documents might be helpful for you regarding url-filtering: https://live.paloaltonetworks.com/docs/DOC-3264 When you do url-filtering I would strongly recommend you to also perform ssl-decryption. A) I think it would handle it has an empty group then meaning that the particular rule would never match, which might be good or bad depending on if the rule is to allow or to block access. B) Usually CLI is recommended to do troubleshooting. I think the PA will list in GUI aswell but paged result (like 100 users/page or such). Each column in a particular security rule must match before this security rule will be a hit. The PA uses top-down first-match so in your case something like: 1) Blacklist 2) Whitelist 3) Everything else 4) Default deny + log might be a good setup. ... View more

I dont know what "Outlook Anywhere" is but you can as a test set appid:any and just allow the particular ports in service: in your security rule and then look in the traffic log to see how PA identifies the traffic. The appid database is also available online so you can search in there to find out if there already exists an appid for "Outlook Anywhere": Application Research Center Otherwise you can always create your own custom appid's unless they are of public interrest because then you can request app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. ... View more

I hope you mean the public key when you spoke about public CA certs because I seriously doubt they will or should release their private key 😉 Regarding that cert list I have completely missed that, in which version did that show up (and whats the CLI commands to list and modify it)? Device -> Certificate Management -> Certificates -> Default Trusted Certificate Authorities (tab) ... View more

Could this be your case ? According to this PA supports TLSv1. But I think there were discussions in some thread regarding TLS 1.2 or if it was TLS 1.3 which currently wasnt supported and you to contact your sales engineer to file a request. ... View more

Verify speed/duplex being used for all links. Also verify that routes are setup correctly in your PA-device (and stuff pointing to your PA-device). ... View more

How come the HDD/SSD's being used isnt larger (but partitioned smaller for enhanced endurance regarding SSD's)? Im thinking of (given current prices) Samsung 830 256GB or 512GB looks interresting. Or for 3.5" solutions then Western Digital Red SOHO 3TB? There is an ongoing endurance test being runned at SSD Write Endurance 25nm Vs 34nm - Page 198 to find out how different brands behaves (some Intel SSD have already failed). ... View more

No... When you use FQDN this is just an "alias" for src/dstip. Meaning that once you commit your security rule the PA device will do a DNS lookup to transform this FQDN (note: not to mistake FQDN with the name of the object which is different and isnt resolved) and once it figured out the ip address it will use that for your security rule when it compiles. The PA will then (if im not mistaken) auto-commit every 30 minutes to get a fresh view of which ip your FQDN points to (according to DNS server). In my opinion this is bad for several reasons. One is that your security rules can be altered by comromising your DNS server so it will respond with a different ip address for this particular FQDN (and hey - suddently you have a huge hole from Internet into some sensitive system on the inside). When you create a custom url filtering then the url being requested will be analyzed as a textstring (because the client for a http request will send a request containing Host-header). Which is also not foolproof because the client can send a request based on the ipaddress instead like http://1.2.3.4 which of course wont match your url filter for *.example.com and example.com. So best (if you want to block access) is to combine a url filter with an ip range. Or even better send this in as appid request if this is a public resource (or create your own custom appid) - or for that matter use all three methods in combination (dstip / url-filter / appid). Its easier if you do the other way around - default block and only allow specific url-categories (and/or customer url filterings). This way if a client tries to use the ip to reach a website or some proxied request (in case that proxy is recognized as web-browsing by PA) it wont succeed. ... View more