About mikand

Try sniffing manually on your uplink to see if the voip client returns any packets at all? My guess would be that some header within your SIP connection isnt replaced to show the PA's outside ip/port but showing the original (RFC1918?) address. Which of course will never find its way back to your PA (specially if this is over Internet). ... View more

Regarding your 240GB question it depends on how the SDD manufacturer calcs on 1000/1024 but also how the bios settings are. For SSDs its often recommended to not utilize the full diskarea. A simple way to not do this is to use "Large" instead of "Auto" as bios-setting. This way there will be unused space (not reachable for the operatingsystem) which the SSD drive on its own will use to prolong its lifetime (wear-leveling and stuff). ... View more

I think its a combination of the 1024 vs 1000 as factor but also (just guessing) that your quota sums up to 95%. Edit: Uhh, forget about that quota since you were looking at max and not used... ... View more

I saw some post a few weeks ago regarding some recommendation that you should first go to the 4.1.0 and from there update to for example 4.1.6. But I dont know if this is still valid? For example if you have 3.0.1 today and wants latest 4.1 then the steps are: 1) Update to 4.1.0 (and reboot of course). 2) Then update to 4.1.6 (and reboot). ... View more

PA uses top-down first-match (like most FW's do nowadays) which gives that your "Alerting" rule will never be hit since its shadowed by "Block URL for everyone". Could you paste the output you get from the commit-window when you commits? There should be warnings about the shadowing I mentioned above aswell as lack of dependencies (which what I guess is why your user never hits that allow rule). To test if your userid is correct you could as a test (if possible) set application to "any" to verify that its application related and not userid related. By the way - your service-column should NEVER be set to any (in my opinion) - you should use "application-default" OR set this manually (like TCP80, TCP443 if you only want browsing to occur on these ports). ... View more

Expired license? ... View more

Thanks for great feedback! 🙂 ... View more

Isnt that much more fun? Like using Microsoft products in your network - every day is a suprise when it comes to security 😉 I agree with thread starter - since snort have announced a bunch of ips-rules (which I assume also means that their commercial sourcefire IPS can already detect this) hopefully PA could do the same... I tried threat vault to search for both flame and skywiper but no hits, hopefully someone from PA could inform the community whats going on (like which db update and date will have ips-rules to detect this)? And dont say "contact your SE" ffs 😃 ... View more

Also taking an offline backup of running-config.xml BEFORE you start is advisable aswell (and make sure to store backups of this backup in several places at least until your migration was successful 🙂 ... View more

Doesnt ACC also only show last hour by default where the CLI shows for total uptime? ... View more

What about something like: srczone: internal sourceip: any (or just your updateserver so not all clients must reach internet) dstzone: external dstip: any appid: symantec-av-update, web-browsing (due to dependency for web-browsing - hopefully this is fixed in PANOS 5.x) service: application-default (could also be narrowed down to just TCP80) option: url-category: Symantec Where your custom url-category Symantec contains: liveupdate.symantecliveupdate.com liveupdate.symantec.com update.symantec.com and configure your symantec clients to only use http/https (well at least not ftp) for updates (or for that matter direct your clients to a local server and only allow this particular server to sync its db with symantec on the internet)? ... View more

A possible workaround is to have your router do ECMP (Equal Cost MultiPath) or such and run your two PA boxes as separate devices in virtualwire mode. This way you could get 2x100Mbit/s (or whatever limit the 500 boxes have) in throughput between point A and B. ... View more

The tricky part is that a proper DDoS will flood your incoming lines no matter what you do. The DoS protection available is just so the box itself doesnt suffer (or systems behind your PA) but the uplink might be dead anyway... ... View more

* Internet Storm Center https://isc.sans.edu/ * CERT-SE (there is probably a CERT in your country aswell) https://www.cert.se/ * Security that works (old name: Kryptoblog) http://secworks.se/ (old address: http://www.strombergson.com/kryptoblog/) ... View more

I think (just guessing) that using loopback would be better in Active/Active situations. ... View more