About mikand

Do you have another box to perform tests on? Since a reboot would make it autocommit and in case it cannot commit you would end up with a (from the client/server point of view) dead unit. I wonder if you export running-config.xml and import it (under a new name so you wont end up with two "running-config" :smileysilly:) in another box (with the same PANOS and hardware model) - do you get the same error? ... View more

Searching through PAN-OS_4.1_CLI_Reference_Guide.pdf it seems that destination based on ip address is supported along with application. Couldnt find any words of if one can use URL category for QoS. Indirect you could do this by create a QoS who acts on applications (or even custom applications) but that will be somewhat limited. A custom application would work if you have something like "http-host: *.example.com" or similar. I think creating QoS based on URL-categories would be handy. On the other hand it would be somewhat similar to create this based on an application filter or application group (for example if you wish to put video-feeds into a lower QoS for Internet). ... View more

You mean in order to limit possible downtime? I think best option is to do this during a service window. ... View more

That sounds really odd. Of course you must specify the true netmask somewhere for a L3 interface so the PA unit knows whats local (and send arp whois) and whats remote (and to be sent to defgw or nexthop). ... View more

The mark in top is idle time so cpu would be 100 - 55.7 = 44.3% to be compared with the 12% in GUI. What comes to mind is if you runned GUI first and then check with CLI, because then cpu usage to render GUI would of course be viewable in the CLI unless you refresh GUI again (which I guess you already did before posting this question? 😉 ... View more

So as of today PAN only use srcmac+dstmac as transmit hash? Which gives that if you setup PA <- 2 cables -> switch <-> server only one of the cables will be used for traffic from PA to the server? Would be great if this can be tweakable in future updates to at least involve a transmit hash such as srcip+srcport+dstip+dstport for added utilization of the available links in the aggregated group. ... View more

Do you have a pre-conf and post-conf to compare on what the differences are? In case the upgrade changes vpn tunnels to loopback interfaces instead of physical interfaces or something like that? ... View more

To me that sounds bad because now all s**t at *.msn.com will bypass the protections that your PA can offer regarding threat and antivirus etc. ... View more

I would guess that the webserver process in the mgmtplane died for some reason (or was killed). If you dont want to interrupt your network you can try to restart just your mgmtplane by following command: request restart software another command (anyone from PA who perhaps can explain the difference?) is: debug software restart management-server or more specific debug software restart web-server ... View more

Except for replacing the hardware with another model who have faster mgmtcpu and more ram? I have heard rumours that even PA-200 might be faster (regarding GUI and such) than PA-2xxx due to more ram available for the mgmtplane. You could try (if possible) reboot just the mgmtplane of your PA-2050 to see if this resolves the high webapp3 usage (or if the high usage returns shortly after reboot) - could be (in worst case?) some memory leak of webapp3 or such which causes the high usage (more than normal compared to what jfitz-gerald explained). ... View more

Which hardware and software (PANOS)? ... View more

In my opinion if the file might contain sensitive data then it shouldnt be sent to wildfire at all (as wildfire currently works since Amazon EC2 etc is involved in the process). I have spoken to my SE regarding the need of a privat cloud (cloud runned in your own datacenter so the files sent to wildfire engine never leaves your datacenter) and hopefully this will happen some day... You can however be somewhat selective on which files to upload to wildfire. For example only files arriving from internet zone or downloaded by a specific user/usergroup and such (or from a specific url and so on). ... View more

The top-down first-match is a common execution path when it comes to security rules. Cisco use this, iptables (Linux) use this and so on. To me this is easier to maintain and to interpret (and audit) by simply just read the rules from above until you hit a rule where all "columns" match. Compared to ipf in bsd (along with older allied telesyn switches among others) where a later rule can overrule a previous rule. The new thing with PA (compared to legacy SPI firewalls/acls) is the use of applications. The problem here (as I see it) is if you rely to much on application identification. Thats why I recommend people to first setup their PA as a regular SPI firewall (using the "service" column to define ports) and then add appid to each rule (meaning be as specific as you can regarding "service" or at least use "application-default" and DONT user "any" for service). That is because it can take a few packets before your NGFW detects what kind of application this is and these few packets can be bad for the server your try to protect. You can test this yourself... Setup a rule with appid:web-browsing and service:any. Then setup a webserver listening on TCP81 and connect to it using telnet client such as "telnet 1.1.1.1 81" and type: a b c followed with two enters (that is a[space]b[space]c). Now run tcpdump on the webserver and you will see that your PA (or any other NGFW) will let this packet through to hit your webserver. Not until the webserver replies with "400 Bad Request" the app engine will have proofs that this flow is supposed to be web-browsing but the request isnt so the response will be blocked back to the client. Now, if you setup your rule as appid:web-browsing and service:TCP80 the request would never reach the webserver at TCP81. ... View more

You could setup a rule for just your ip with "app=any" (and log on session end) to see how this is being identified currently by your PA device and afterwards limit it down to whatever application it identifies. If im not mistaken Google Docs is replaced by Google Drive so I hope that the current Google Docs appid's can be reused for Google Drive (until PAN releases an updated app-db): google-docs google-docs-editing google-docs-base google-docs-enterprise google-docs-uploading Fastest way to get a response regarding this is to request app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. ... View more