About mikand

In that case I would use best-match which would give jDownloader as final result. You can compare it to using your web-browser and visit youtube. Is it web-browsing or is it youtube? Actually its both (which you will see if you enable log on session start how the flow hops between applications). You can also search on "management" and "client-server" in applipedia to see various applications (runned on the client) and not applications as in which url is being visited. But sure in order to successfully identify jdownloader there has to be something to identify at. Useragent is one of the things (since its using http). Another thing could be, in combination with useragent, which headers are actually being used (present) and in which order? Perhaps chunked downloading is being used? Or multiple sessions towards the same ip address? and so on. There can also be secondary trigger points which can be used - in case the application phones home, similar to how skype is being identified (sure you can block skype with PA but to do this you are forced to allow skype-probe to pass through). With PA you can at least be sure that HTTP is allowed and nothing else. If you want to block which browser the client uses to download stuff over HTTP you need to apply whitelisting on the client computers (there are several products that does this on the market with various results, http://www.cryptzone.com/products/se46-application-whitelisting/ is one of them). ... View more

When the client requests dhcp information some dhcp server on your network will reply (if you use dhcp unless you use static addressing). I dont know if you run your PA as dhcp server or if you have a dedicated box for this task. Either way you can configure the dhcp server to not only tell the client which ip address to use, which netmask to use and which default gateway to use - but also which dns1 and dns2 the client should use. If you dont have your own dns-resolvers on a DMZ or such you can use public dns-servers. Two available (from Google) is one with ip address 8.8.8.8 and one with ip 8.8.4.4 (given that your clients are allowed to reach Internet). This way you dont need to allow mDNS through your PA device (unless I completely misunderstood your case?). ... View more

If URL filtering is such critical piece of your security arsenal then you REALLY should enable ssl decryption (for all outbound ssl connections). This way the URL filter can do a better job and you will also be able to perform IDP, file, AV and other filtering on the flows. You can in the decryption policy for example exclude banking if you have some privacy concerns in your organisation and at the same time make sure that ssl flows that cannot be decrypted will be blocked. Also dont forget to change that "url-filtering <name> license-expired" so it will "block" if your URL filtering license expires (otherwise ALL sites will suddently be available). ... View more

Out of the blue my bet would be that the "ftp.forbes" object is part of one of the groups in the rule below (at the same time as the sourceip stuff is similar). Perhaps you have used a cidr with to large mask by accident or such? As a test (if possible), what if you disable the first rule - will the warning disappear and will the service still work (but now hitting rule4 in the traffic logs)? ... View more

I disagree... If you take a look at applipedia (http://apps.paloaltonetworks.com/applipedia/) and select file-sharing and browser-based you will see shitload of apps that is just that - downloaders: 4shared, bigupload, easy-share, megaupload and so on (currently 84 appid's matching the above search). Hopefully the download "accelerator" that the thread starter uses will use some useragent or such which you can identify the flow at (and by that create your custom application). ... View more

Not necessary... even GPL stuff is copyrighted but the license allows you to spread the product. ... View more

A workaround could be to setup your dhcp server to instruct your wifi clients to use particular dnsservers instead of this mDNS mumbojumbo. If you dont have your own resolvers you could use googles at 8.8.8.8 and 8.8.4.4 or some of the public ones provided by opendns. ... View more

No cost to my knowledge. The tricky part is as you already mentioned to convince the app-people that this particular app should be part of the global appid-db. ... View more

I guess this one might be handy? https://live.paloaltonetworks.com/thread/4367?tstart=0 ... View more

Could it be that the response pages are not synced and when you do your commits every other time the unit who were active (and you configured) becomes passive and suddently the other unit is active who uses the old response page? ... View more

I guess you already tried to commit just after your upload? ... View more

Is routing setup correctly both on the PA device and on the target system? ... View more

Unless you create a custom app on your own you can request app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. ... View more

You define for which zones and ipaddresses and/or users along with categories you wish to enable ssl decryption for. In you case perhaps something like: srczone: clients dstzone: internet srcip: any dstip: any user: any categories: (select all categories, dont know if "any" exists yet). action: decrypt This way as soon as a ssl handshake is seen the PA will intercept depending on if you set this up as ssl-proxy (common when intercepting outgoing clients) or ssl inspection (common when intercepting incoming clients towards one of your servers which you have the private key for). Previously there have been issues with 2000-series when there were to many concurrent ssl decryptions (because at 2000-series and below the mgmtplane is involved into creating the faked cert on the fly). I dont know if this has been fixed yet (I think it is). Also note in order to make this transparent for the clients you need to import the CA cert (well the public part of what you imported into your PA device) as a trusted CA in your clients (can be done through group policy). Also you can use a second cert (and not import this one in your clients) which PA can use for ssl sessions that couldnt be verified (for example if the cert from the server at internet is expired, revoked or such). ... View more