About mikand

Will the posts in help you? ... View more

There is no need for a license to use QoS (as I know of) however Im not sure if the QoS settings in PA will allow you to set a quota per queue or user or such. What you could do is to set users or groups into a particular QoS queue that is either prioritized or downprioritized compared to the other traffic. So now when the olympics is about to start you could downprioritize specific users/groups (or better appids such as youtube or app-groups etc) so they can watch the livestreams but only for whats "idle" of your bandwidth - production traffic (emails or whatever) will have normal (or higher) priority. ... View more

If outside means Internet then you will most likely see all sort of shit thats out there. It seems not uncommon that the noise level on the Internet (various bots and other junk) is 1-3kbit/s per ipaddress (based on own experience, might vary in your area 😉 So in your case if some internet ipaddresses tries to get to your DNS servers (which happends to have public ip's but security rules will block incoming requests from Internet) then you can use tcpdump through your internet router to verify the content of these packets and if you belive they are false positives then send it to the appid team? ... View more

For original packet you setup what this particular NAT rule should trigger on. So lets assume you have traffic from srczone:Internet towards your public ip and service:12345. srczone:Internet dstzone:Internet srcip:any dstip:<your public IP that the client will talk to> service:TCP_12345 Translated packet will then look like: translated address:<ip of the server in DMZ or where it now might be located> translated port: just leave it blank (or manually fill in 12345) Now the above is to change the ip header for matching packets. You still need to setup a security rule before the packets are allowed to reach that server at DMZ: srczone:Internet dstzone:DMZ srcip:any dstip:<your public IP that the client will talk to> service:TCP_12345 appid:smtp (or whatever appid is applicable in your case) The above is to DNAT incoming traffic. If you want your server at DMZ to on its own initiate outbound traffic you need to setup similar SNAT. The above, when dealing at service (port) level, is good when you have only a single or a few public addresses. So the same ip will forward to different servers in DMZ depending on which proto/port the client is addressing. So you just redo the above work and setup another DNAT rule for next service and another security rule to allow that service (along with appid if possible). To make it easier you can setup a 1:1 DNAT (and SNAT at the same time) so that a particular public ip always matches with a particular DMZ ip. This way you wont need to setup more NAT-rules (only one per server) and only have to setup security rules for each traffic flow (of course depending on how you setup these security rules but I would recommend you to be as narrow as possible when you setup allow-rules). ... View more

Well the 1 hour delay between the nodes doesnt seem to be working and I guess it shouldnt either. When box A gets a new content this is sent to box B for installation aswell so IF a failover occurs they both have the same content db's (no matter if its appid or url-db or something else). Also reading the logs I get the impression that the auto-commit of config with a new antivirus-package takes approx 2 minutes. So when node1 is done with its update incl. auto-commit at 2012/07/16 19:10:13 it checks with its peer 4 seconds later if its up2date aswell... but it isnt, its still in the progress of installing the update. Node2 is however done at 2012/07/16 19:10:41 which is shown at 2012/07/16 19:10:45 on both boxes that they are now both up2date in case a failover occurs. Personally I dont mind about the above logs (even if it would of course be better if this particular case could be logged differently because the passive node will always be updated after active node - unless the active node have way too much to do in mgmtplane, then active node could take longer to complete its auto-commit with new antivirus-db. However what im worried about is that the above logs shows that IF a failover occurs then the passive box is in the middle of an auto-commit aswell - how will new sessions be handled in this case (since programming of the dataplane isnt atomic, or is it)? ... View more

Is this close enough (mentioned in the comments at your link) ? I guess this one might be handy aswell: ... View more

Just guessing here but since PA is working on their own url category db to replace Brightcloud (I think this year already) then the db used in wildfire is the new PA db where the PA devices mostly use Brightcloud db today (I guess the new db is to be released for PANOS 5.0)? Another idea might be how the resolution is performed - will Brightcloud check the full url and not just the domain part (Im thinking in case wildfire checks the full url like one folder on a webserver can be classified as malware while another folder is classified as something else)? But yeah I agree, would be nice if any bad urls known by wildfire could be pushed out to the regular url-db so customers who doesnt run wildfire can take advantage of this (for example if you block access to url category "malware") but also so the bad malware isnt downloaded by the client at all (because stuff that hits wildfire has been downloaded by the clients). ... View more

By the way, how come the default is 1800 seconds (30min) when for example Cisco (switch/router)equipment uses 300 seconds (5min) for mac-address-table timeout and 14400 seconds (4 hours) for arp table timeout (or TTL actually)? ... View more

I dont know if the PA-2020 got some other value but according to the CLI Reference Guide for PANOS 4.1 the default is 1800 seconds: Sample Output The following command displays ARP information for the ethernet1/1 interface. username@hostname> show arp ethernet1/1 maximum of entries supported :      8192 default timeout:                    1800 seconds total ARP entries in table :        0 total ARP entries shown :           0 status: s - static, c - complete, i - incomplete username@hostname> ... View more

Active-passive with PA is more of an online version of "coldstandby" (lets call it "hotstandby" or something :-). Meaning that the passive unit is an exact copy of the active unit except for the mgmt ip and hostname. If the active dies (or is considered to be dead or not fully functional) then the passive unit will become active. Active-active with PA wont bring you more performance but can solve situations where you have assymetric routing. It seems that if you can avoid active-active then you should avoid it. In your case you could go for active-active however im not sure on how it will deal with LACP. If using LACP (or etherchannel) through an active-active group you must be sure that the loadbalancing wont spread the same session over multiple lines. I think the design guide recommends that each LACP group goes over a single PA-unit. Like int1 and int2 is LACP1 and goes to PA1 where int3 and int4 forms LACP2 and goes to PA2 (check the links in the end of this post). Another solution is to setup your two (or more) PA-boxes as single-units (they dont know of each other). This would force you to configure everything twice (or three or four times depending on how many boxes you would have in this setup) but can this can be avoided by using Panorama instead (this way you can configure global rules for everything and push out to all boxes). The point of configure the units as single-units is to gain performance and then let the routers/loadbalancer before/after your PA-setup to spread the load of available lines (PA-boxes) and dont forget to keep each session over a single line (until it fails and then move these sessions to another line). Also check out these documents for ideas on how to setup PA-boxes in various situations: ... View more

You can set a security rule before your current allow rule which will blacklist certain ranges. In PA you can set range by country (this list is basically maxmind's GeoIP and some other sources if im not mistaken and updated through app-id database I think) so you can somewhat "ban" a whole country or region. And in case you dont want to see these blocks in your logs this blacklist rule can be set to not log a thing. A better method is to make your allow rule as narrow as possible. The design could be: 1) Blacklist rules (as wide as possible and mostly to ban for global access no matter which service they wish to connect to). 2) Allow rules (as narrow as possible). 3) Default deny + log (stuff that isnt allowed elsewhere should be logged if you are interrested in those logs). The tricky part is that the "attacker" will of course, depending on protocol, see that they are being blocked because PA currently doesnt allow you to set HOW the blacklist should block the client (which method is being used depends on which protocol the client requested and is set by PA themselfs). It seems that many PA-users have already sent this as a feature request to their Sales Engineers (so it would be great if you could do this aswell) so you as a PA-admin could decide how the block should be performed (just drop or deny where the deny will send a packet back to the client with either tcp-rst or icmp net/host unreachable or icmp administratively prohibited). In your case I would prefer to just drop the traffic (the attacker will not get an answer at all not even that the port is closed). ... View more

What about "show system logdb-quota"? https://live.paloaltonetworks.com/docs/DOC-1213 ... View more

Do you get the same slowness if you block access to: www.google-analytics.com ssl.google-analytics.com all together? Like by adding this as sinkhole in your dnsservers or by adding this to your local hosts-file (or as a url-filter block, you need ssl-termination to block the ssl edition): 0.0.0.0  www.google-analytics.com 0.0.0.0  ssl.google-analytics.com ... View more

There is a trusted CA list within the device but I cant find in the manuals on how to list its content nor how to add your own CA's to this list - perhaps somebody else in here who knows? Regarding importing of stuff, if the web-gui fails you can use scp or tftp like so: scp import certificate from user1@10.0.3.4:/tmp/certificatefile tftp import ssl-certificate from user1@10.0.3.4:/tmp/certificatefile ... View more