About mikand

In that case dont forget to add a url-filter aswell for the same FQDN (specially if this is http traffic). The bad part (security wise) of using FQDN as dstip is that you will rely on what answer the external (compared to the PA itself) dns will bring you. ... View more

Run "netstat -an" on the pan-agent server and verify if you see both PA boxes as established connections. Also compare the configured service routes on both boxes (for example if you dont use the MGMT interface to reach the pan-agent server). Otherwise I hope some of the tips in might help you (also a 3.1.8 user). ... View more

*doh* forgot about that one 🙂 When block-ip is activated, will each attempt from the blocked client still be logged (or if the PA box will no longer log the client attempts - can one override it so it will)? ... View more

I guess the short answer is: contact your Sales Engineer to file this as a feature request. PA have today two methods to deal with annoying clients (over time): zone protection and dos protection (unfortunately none of them can today be used as you requested as I know). Check out for more information. ... View more

I guess you have already read QoS in PAN-OS 4.1? The guaranteed egress is applied at all times but the setting is of course how much bandwidth should the specific class get during congestion/overload of the interface. However im not sure if guaranteed bandwidth also means that the same amount of bandwidth cannot be used by the other classes - perhaps someone from PA could enlighten us? 🙂 ... View more

You can setup a continue page which doesnt require user to verify itself. This way http will be used instead of https (if I remember correctly). The https is used to protect the user/pass when it travels through the network. If you want this to be changed (or have the option to decide if you want the login to be in cleartext or not) you should contact your Sales Engineer for a feature request. ... View more

There are like two schools when it comes to which version to use. One is to not use the latest because "you dont know which bugs this will contain", which is somewhat true... which comes to the second opinion - use the latest version so you dont have any known bugs in your production. I prefer the second method - use the latest version to avoid known bugs (which the latest version have fixed). Hopefully the releaseversions have been tested against some sort of QA at PaloAlto before released in public (compared to beta releases which one might expect be more buggy than final releases). But as a disclaimer - avoid the first releases of a new major version (at least in production unless the major version fixes some bug you spotted in earlier versions). For example avoid 4.1.0 and 4.1.1 (perhaps use them in your lab if you got any) but as soon as 4.1.2 is out I would install it and then install the latest from that branch as soon as its released (and as soon as possible due to maintenance windows etc). Another tricky part is how to handle the URLdb and APP/THREATdb releases - in my opinion since they are about spotting bad code in your environment you should put both to "download-and-install". Yes there is a risk of false-positives but at the same time I would prefer a false-positive over a missed malware (due to slow updates of the db's at my end) in my production environment. ... View more

Perhaps not officially support (as in getting help if setting up a support case) but shouldnt they still work in real life because the vpn client in iphone/ipads works aswell as if you setup a vpn-tunnel towards a cisco ASA as described in: ? I mean as long as it is pure IPsec then it should work, shouldnt it? ... View more

What about the idea of commit on the passive unit which would have more free cpu at mgmtplane and because of that should compile (and commit) faster than if you do this on the active unit? Or what is the flow when one hits the commit button? Is it: 1) The box you are currently logged in to will commit the ruleset (compiling etc) and if successful it will load the dataplane. If commit is successful the config is then synced to its HA-partner who will perform the same operation. or 2) When you hit commit the config is saved and directly sent to the HA-partner - both boxes will try to compile and program their dataplane at the same time. Not until both succeeded the user will be notified of a "Success!". or something completely different than above? ... View more

Theres a great article in the knowledgebase regarding this: (id 36257, Some data being sent to Netflow connector is in the wrong format.) ... View more

Did you check these posts/threads? https://live.paloaltonetworks.com/message/6354#6354 https://live.paloaltonetworks.com/thread/5154 ... View more

His email is posted in the message he posted earlier: https://live.paloaltonetworks.com/message/6354#6354 ... View more