About mikand

Im just guessing here but can vwire do a full NAT? Like hiding multiple clients behind a single outgoing ip as when you use L3 interface? Also is it possible for you to paste your NAT configuration? ... View more

A longshot here but did these problems start last sunday (1st july)? Im thinking of the leapsecond stuff... ... View more

I dont think you need to upload the intermediate or CA certs because they are only used to verify the ssl. The PA doesnt verify the ssl when you do ssl inbound inspection - it will just sit there and sniff the ssl traffic and decrypt it using the serverkey. ... View more

The point here is that the receiving firewall/switch/router (unless its proxybased) cannot choose or inform in which order the sending device (like the internetrouter your firewall is connected to) should send its packets. So you must happily accept the order of which the packets arrives on your uplink. What you are in charge of is in which order your packets will leave your firewall which gives that you can either delay outgoing packets or drop them all together (the later is often least demanding on the device which will perform the QoS and is part of RED shaping - randomly early detection). So to get the best effect when a user wants to download stuff is to not only delay/drop incoming packets (the actual download) but also the outgoing ack's sent back by the client to the server. When TCP is being used the algoritms at both client but in this case mainly server will adjust the windows being used and also how many packets will be allowed "in transit" (in plain english - the server will slowdown the speed in which the file is being sent at). More advanced QoS engines can alter windowsizes and other stuff to slow down a specific flow in order to not be forced to drop packets on the road. For the best effect of using QoS you should apply the very same rules in ALL your network equipment - also in the endnodes (the clients and servers themselfs) if possible. This way prioritized traffic will be prioritized at every hop while traffic you have choosed to prioritize down will only use whats left of the current links. Of course not all equipment can do QoS based on content so in PA's case you can tag outgoing packets with various QoS classes (DSCP or TOS) so that your switches and routers (who doesnt know if the flow is youtube which you want to prioritize down) will act on the DSCP/TOS fields in each IP packet instead and still be able to prioritize the traffic correctly through your infrastructure. PS. This subforum is mainly for question regarding the supportportal itself, the proper location for PA question is in KnowledgePoint DS. ... View more

Is it possible for you to get two linknets from your ISP, like RFC1918 based such as: link1: 10.0.0.0/30 (you are .1 and ISP is .2) link2: 10.0.0.4/30 (you are .5 and ISP is .6) ? ... View more

Undecided? According to the admin guide an app can be "unknown" where the reason can be either "incomplete" or "insufficient-data". Where "incomplete" means that a handshake took place but no data packets were sent prior to the timeout. And "insufficient-data" means that a handshake took place followed by one or more data packets. However not enough data packets were exchanged to identify the application. To fix this you can either create a custom appid or contact PA to make it into the common appid database: You can request app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. In your case to answer why the PA didnt identify your traffic you would need to provide either the forum, or better, the appid request team with a pcap. ... View more

There is another thread in here (which I cannot locate for the moment) with similar topic. In short you should contact your Sales Engineer to file this as a feature request. Today the PA unit will select the "best" method on its own depending on what kind of traffic is being blocked. I think it currently uses "drop" (just drop the packets), "reject tcp" (send tcp-rst to client and/or server), "reject icmp" (send icmp unreachable to client and/or server) - or combination of them (for example "drop" towards client and "reject tcp" towards server and stuff like that where client is the one who initiated the session). I agree with you it would be nice if one could select "deny" to let PA do its stuff as today or manually specify "drop", "reject" (which would include all reject methods), "reject tcp" or "reject icmp" (or some other method which I might have forgot - icmp host unreachable could also be icmp administrative prohibited or icmp net unreachable). ... View more

By the way does the same options (well what you can trigger on such as "smtp-req-argument") exist in both custom app aswell as custom ips or are there differences? Im thinking of when one should do a custom app instead off a custom ips signature? ... View more

You mean that you want to block a specific url and when you do so the images displays as broken images instead of showing the blocked text? ... View more

Will also IPv46 be available aswell? Well DNAT of an IPv4 dstip into IPv6 dstip? ... View more

1) Click on Home in the upper left then on KnowledgePoint and finally Discussion 🙂 3) Oops sorry... application override doesnt act on url. However you can go for dstip (which I guess wont work in this case since its Google we speak about and too many ip's). Custom application would then be the way to go... I think something like this might help you: parent-app: web-browsing defaults port: tcp/443 (assuming its using https only) ip protocol: 6 (tcp) scanning: file-types, data-patterns, viruses and then the actual signature... check page 171 in the admin guide for examples. Since this is mainly to allow traffic I think you should be as narrow as you possible can. Dont forget to have ssl-termination running in order to inspect the https contents. ... View more

1) You posted in wrong subforum - hopefully someone from PA could move your thread so more people will notice it 🙂 2) You can request app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. 3) As workaround I think you can do an "application override" if you have something to trigger at. Like: dsturl: update.google.com appid: web-browsing file: .exe new appid: google-update ... View more

I have never done any setup like that so unfortunately I dont know. Usually when one use vwire you do this without any additional configuration of the interfaces (like L3, VLAN etc) - the idea is that you can take a TP (or fiber) cable and split it in half and put your PA device as MITM no matter which traffic it contains. I mean in your case it would be vwire on E1/3 and E1/4 (or whichever 2 interfaces you wish to use) and thats it and the VLAN-handling would be taken care of the AVM router (like (untagged)VLAN1:192.168.0.254/24, (tagged)VLAN2:192.168.1.254/24). But at the same time I agree with you - it would be healthy if one can assign the various vlans flowing through to different zones. Hopefully one of these documents might help you to get an idea on how the PA device can be used: Edit: As a sidenote here is another great document regarding PA functionality and how to configure stuff (not the question of this thread but I assume its the next thing once the VLAN handling is sorted out 😉 ... View more

Depends on what the purpose is with your PA - is it to protect some internal resource like your vmware box or is it to protect the whole lan from Internet, or a combination (or for that matter to try different setups to better learn how the PA device functions)? I assume your AVM router have a built in VDSL modem and I also assume that MR303 is an IPTV device. I would then set this up as: 1) Set your AVM router into bridgemode (if possible - this is to get as much performance as possible), but let it still be a QoS device between IPTV stuff vs Internet stuff from your ISP. 2) MR303 is connected to your AVM router on the IPTV interface (so it can speak to your ISP's IPTV boxes). This is by assuming that your MR303 doesnt need to speak to your NAS or such. 3) Your PA box is then connected to your AVM router - use L3 interfaces (in your drawing the PA would sit between AVM router and Switch1). 4) Now if you want to isolate your vmware box from the rest of your lan you can still use 802.1Q for the vmware box otherwise you can just use untagged interfaces in your LAN. If you use two or more VLANs (either all are 802.1Q or you leave one as untagged and tag the others) on the inside your PA box will act as a firewall between the zones. Where your TV who is on the same VLAN as your NAS wont need to pass your PA (the flow would be like in your drawing: TV <-> (untagged vlan2)Switch1(tagged vlan2) <-> Powerline AVM <-> (tagged vlan2)Switch2(untagged vlan2) <-> NAS). The term "zone" can bee seen as "interface" with the difference (if I remember correctly - standard disclaimer :P) that a zone can contain one or many physical interfaces along with one or many vlan interfaces at the same time. With the limit that an interface, subinterface or vlan can only be part of a single zone at a time. So in your case Untagged E1/3 can be zoneX while Tagged E1/3.2 can be zoneY (but Untagged E1/3 cannot be zoneX and ZoneY at the same time). Personally I prefer to not use "trust" or "untrust" as names of zones but rather which network is actually available. Such as "WAN", "LAN", "Internet", "Server", "VMware" and so on. ... View more

Based on the video at Strong authentication for Palo Alto Secure Access SSL VPN Solutions | Nordic Edge | The Provider of Secure Identity Solutions I think it should somehow be possible (however they are using user/pass + OTP, from your description I think you want cert + user/pass). Theres a technote also at Palo Alto Networks Integration till Nordic Edge One Time Password Server | Nordic Edge | Levererar lösningar för säker identitets- och åtkomsthantering ... View more