About mikand

Doesnt running-config contain these items? In webgui you go to Device > Setup > Operations and there select Export named configuration snapshot (select running-config.xml which is the current active configuration). ... View more

I think any IPsec based VPN clientsoftware will work for you if its just the VPN stuff you want. Globalprotect includes sort of a HIPS aswell (to keep track of which antivirus and db etc the clients are using and based on if they are up2date Globalprotect can let a client in or quarantine it etc) which a regular IPsec VPN software doesnt deal with. ... View more

Well depends on the firewall and which settings you use. A regular SPI based firewall, lets say iptables in a linuxbased firewall, will just handle the timeouts internally. When a session times out it wont notify server/client that the flow is no longer valid - they (client/server) will find this out once they try to send their PSH packet and noticies it doesnt come through (or rather they dont get the proper ACK in return). So in my opinion you should adjust the timeouts in both devices (both the firewall/whatever and the server). This way the server wont use more resources than necessary and the same goes for the firewall device (which also have upper limits when it comes to concurrent sessions and stuff like that). ... View more

No matter if one use a PA or something else in front of the servers both the device in front of the servers (NGFW, SPIFW, Webproxy, Loadbalancer etc) and the servers itselfs should have tweaked the default timeout. Often the default is 120 or 300 seconds which is often way too much. One can assume that if the client today doesnt get a response back within at least 30 seconds they will hit the refreshbutton (or even sooner). So by lowering the default timeouts to 30 seconds (or even lower) you will in some way mitigate the slowloris. However you might have applications that will need more than 30 seconds to complete (like searchengines and such) which is why you by design should put those resources on their own server and use a higher timeout just for them. So you end up with a default of lets say 15 seconds timeout for regular http and 30 seconds for http which goes to your searchengine servers (dont forget to instruct the searchengine itself that it should search for longer than 30 seconds or whatever timeout you choose). For Apache there are modules that can be configured to better deal with slowloris attempts (except for the already mentioned mod_qos), such as mod_reqtimeout. Set these settings in your apache-conf (just an example): LoadModule reqtimeout_module modules/mod_reqtimeout.so RequestReadTimeout header=3,MinRate=5000 RequestReadTimeout body=10,MinRate=5000 http://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html ... View more

To sum it up: External: 63.x.x.x/24 DMZ1: 10.11.107.1/24 DMZ2: 10.11.113.1/24 I assume the range at External is a public range handed over to you by your ISP? This is what I would do: 1) Setup a linknet between your PA and your ISP, for example: PA: 10.0.0.1/30 ISP: 10.0.0.2/30 2) Instruct your ISP to route that 63.x.x.x/24 with nexthop 10.0.0.1 (or whatever IP your PA end up with). 3) Set your PA to use 10.0.0.2 (or whatever IP your ISP will use) as default gateway. Now you can setup parts of 63.x.x.x/24 directly on interfaces on your PA aswell as NAT the other IP's to the DMZ's using private IP's (DMZ1 and DMZ2). So you would end up with (just an example): External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24) DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255) DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255) DMZ3: 63.0.0.113/28 (63.0.0.113 is IP at PA, 63.0.0.112-127) NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever) NAT2: 63.0.0.44 -> 10.11.113.5 (or whatever) But if possible I would start to use this range from two sides. Like NATed IPs from the lower part and routed IPs from the higher part (or the other way around 😃 Like so: External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24 from ISP) DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255) DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255) DMZ3: 63.0.0.241/28 (63.0.0.241 is IP at PA, 63.0.0.240-255) NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever) NAT2: 63.0.0.2 -> 10.11.113.5 (or whatever) ... View more

Check the threat log and traffic log (search for source ip of the client being used) to find out why the flow was blocked. In order for this to work you must have a "deny + log" rule in the bottom of your security rules (otherwise there is just a deny rule which is hidden which means that no logging occurs on denied traffic). When you find out which threatid this xml is being identified as you need to find out if the xml really is bad or not. You can read some about the threat in the Threat Vault: http://wwapps.paloaltonetworks.com/ThreatVault/ If this is a false positive then you should contact the support with info of which db, threatid and (if possible) also send in a pcap (tcpdump) of the traffic when it works (so the support have something to verify against). I think you can get in touch with the app and threat team at: http://www.paloaltonetworks.com/researchcenter/tools/ ... View more

Make sure that your DSL modem is configured as a "bridge" and not as a "router" in order to not lose performance. ... View more

I think you must email him to get a copy, while you email him - ask if he cant publish he utility online? 🙂 ... View more

I think solsens excel-utility can be handy for this. Otherwise you can export the running-config.xml and run it through sed or such. The interresting stuff is between <rulebase> and </rulebase> (to get not only the rules but also any profiles or such) and if you want just the security rules you go for the stuff between <security> and </security>. Another method (already described), specially if you are not friendly to xml, is to use cli and enable set-commands and then just do a "show running-config" (which you then run through sed to only keep the interresting stuff). ... View more

I dunno if my previous interpretation was correct. When you setup custom app (no matter if you use parentapp or not) you have checkboxes for if this particular app should be scanned for antivirus and the other stuff. ... View more

Dont confuse a webcache with a webproxy 😉 Im not that sure that PA can act too much of a proxy due to how the hardware is layouted. Im guessing that its possible but it would involve mgmtplane and that would be bad for other reasons (specially would bring a performance impact). The reason for why Checkpoint can do this is because Checkpoint is a software solution and the performance goes downhill for every feature you enable (thats why Checkpoints datasheets shows performance figures with EVERYTHING DISABLED - compared to PA who have everything enabled). To get an idea of what a simple HTTP proxy must be able to handle here is an example on how to do this with iRules (TCL) on a F5 loadbalancer: http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/85518/showtab/groupforums/Default.aspx # web proxy example # # This is a simple, incomplete example web proxy iRule. # It only supports limited proxy functionality of converting the requested host  #    (from an absolute URI or the Host header) to an IP address and sending the request on.   # It doesn't support CONNECT/HTTPS or most other RFC2616 requirements for a web proxy. # when HTTP_REQUEST {       log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]"       # Check if the URI is absolute and http://     if {[string tolower [HTTP::uri]] starts_with "http://"}{          # Parse the host value from the URI        set host [URI::host [HTTP::uri]]        log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]"       } else {        set host [HTTP::host]     }       # Check if host header has a port     if {$host contains ":"}{          # Scan the host header to parse the host and port        if {[scan $host {%[^:]:%s} host port] == 2}{             log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port"          } else {           # Host value was host: without a port. Use the requested port.           set port [TCP::local_port]        }     } else {          # Host header didn't have a port. Use the requested port.        set port [TCP::local_port]     }     # Check if the host header isn't an IP address (ie, it contains an alpha character)     if {[string match {*[a-zA-Z]*} $host]}{          log local0. "[IP::client_addr]:[TCP::client_port]: Host value not an IP: $host"          # Perform a DNS lookup of the hostname        NAME::lookup $host          # Hold the request until name resolution completes        HTTP::collect       } elseif {[catch {IP::addr $host mask 255.255.255.255}]==0}{          log local0. "[IP::client_addr]:[TCP::client_port]: Host is an IP: [HTTP::host]"          # Request was to a valid IP address, so use that as the destination        node $host $port       } else {          # Couldn't parse host header.  Could use the destination IP address as the destination?        HTTP::respond 400 content "Invalid Host header"        log local0. "[IP::client_addr]:[TCP::client_port]: Invalid host header: [HTTP::host]"     } } when NAME_RESOLVED {       set response [NAME::response]       log local0. "[IP::client_addr]:[TCP::client_port]: Resolution response: $response (elements: [llength $response])"       # Check if there is a resolution answer and it's an IP address     switch [llength $response] {          0 {           # No response, or response wasn't an IP address           log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"       HTTP::respond 500 content "Couldn't process request"        }        default {             # Response was one or more list entries.  Use the first list element.  Check if it's an IP address.           if {[catch "IP::addr [lindex $response 0] mask 255.255.255.255"]==0}{                # Request was to a valid IP address, so use that as the destination              if {$port != "" and [string is integer $port]}{                 log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with parsed port [lindex $response 0]:$port"                 node [lindex $response 0] $port              } else {                 log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with default port $response:[TCP::local_port]"                 node [lindex $response 0] $::default_port              }           } else {              # No response, or response wasn't an IP address              log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"          HTTP::respond 500 content "Couldn't process request"           }        }     }     # Release the request     HTTP::release } ... View more

In my opinion, specially when it comes using PA towards Internet, you should decrypt everything and stuff that cannot be decrypted shouldnt be allowed through. Windowsupdate can be handled separately (for example if you setup a WSUS and only let WSUS server go for windowsupdate on the Internet using appid windowsupdate). The tricky part is how this cert whitelist which PA uses affects decryption. Will this whitelist always overrule decrypt settings or will a "deny flows which cannot be decrypted" overrule the whitelist - perhaps someone from PA could clearify? Anyway - there might be countries/places where you are not supposed/allowed to decrypt stuff on the road. Banking/Financial seems to be a common example. Otherwise it can be for performance reasons which you dont want to decrypt certain categories but in my opinion this is bad... ... View more

No idea, but since there already is a setting like "Enable Config Sync" I guess it should be somewhat easy for PA to fix this if you file this as a feature request through your sales engineer. I mean setting up HA but only enable "Enable Config Sync" and disable sessionsync etc. ... View more

I dont think there is any reliable way to do this. You could watch for "user-agent" string (which the mobile device owner can change) and tcp windowssizes being used (which can also be changed). One way is to do the other way around - use globalprotect to identify which box is which and based on this information (like a whitelist) you can QoS those into a higher prio. Or captive portal (but this wouldnt stop mobile devices). Another way could be if you have an AD and configure userid to only allow the specific AD-group containing your approved devices (based on machine accounts). ... View more