About mikand

Im pretty sure the system cpu is involved regarding ssl decryption for PA-2xxx and lower models (perhaps not once the SSL is setup but during the "generate fake cert to send to the client" phase) thats why I asked regarding other features aswell. ... View more

So what about the other models? Do there perhaps exist a feature matrix/table which explains what is done in dataplane vs whats done in mgmtplane for various models? ... View more

Where can one find out more about rumours regarding upcoming version (and dont say "contact your SE" 😉 ? ... View more

I think your best option is to request an app enhancement from the Apps and Threats Research Center. http://www.paloaltonetworks.com/researchcenter/tools/ From there you can click on Submit an app and provide details there. If im not mistaken the dropbox client uses http/https on its own (basically acting like a webbrowser) which makes it hard to just limit it to a special tcp/udp port or for that matter combine the rule with web-browsing or such. Perhaps if you could set this up along with URL filtering as a workaround (in case dropbox uses a special URL for the client compared to the webbrowser edition)? Edit: There are a few URLs available in the source code at https://bitbucket.org/dkocher/dropbox-client-java/src/100b8c7d183b/src/main/java/com/dropbox/client but this version seems to be 2 years old so I dunno how how much differs from how dropbox works nowadays. ... View more

Which means that PBF/PBR is never done by the system cpu not even on PA-200? Compared to SSL-termination which is performed by the system cpu up to (including) PA-2xxx if im not misinformed, while PA-4xxx did this in the dataplane and PA-5xxx have an updated design to perform even more SSL-termination than the 4xxx series. I think this question can have to do with that on Cisco its not uncommon that when one use PBR all packets will get punted to the system cpu instead of just using the asic (aka "dataplane") unless you use C6500 and upwards depending on supervisor etc. ... View more

Still sounds odd... If you maximize 40Mbit/s to transmit 35GB of data you need approx at least 2hours 5minutes or so do accomplish this. Even if the PAN logs at session end then the session start for that session should still be correct wouldnt it? Could it be some NTP who malfunctioned or such? ... View more

I dont know if this will help you but I would set this up as three individual NAT-rules just like you already seem to have done 🙂 1) EXTIP:7000 -> 192.168.1.1:3389 2) EXTIP:7001 -> 192.168.1.2:389 3) EXTIP:7002 -> 192.168.1.3:3389 ... View more

I didnt mean that you should remove the tunnels, but rather make it possible for a site to reach lets say DC2 even if its own link to DC2 is currently unavailable. Meaning if Site1A lost its connectivity with DC2 it can still reach servers at DC2 by going through DC1. IPSEC will, depending on if you use UDP encapsulation or not, add a few bytes (I think its more bytes when using UDP since the full TCP header must be put as payload) to the payload of the packet making the efficient MTU (or rather MSS) be lower for the payload you wish to transmit over the links. The tricky part here is that network equipment such as firewalls, routers etc will then fragment the packets in order to let them pass through the tunnel - making it lose some performance (instead of sending just one packet it must now send two packets while the 2nd packet is many times just a few bytes). Only device which normally doesnt do this is a proxy who will have one flow on inside (towards clients for example) and another flow on the outside (towards servers for example). Regarding handling asymmetric routes in PAN you can set both tunnels to the same zone, this way your security rules will not make a difference if the packet came through DC1 link or through the DC2 link. ... View more

Depends on what the alarm is about. If its a pdf which is suspicious then I would try to cross-test it with another AV such as Kaspersky or similar or if the file is public then upload it to www.virustotal.com to see what the other 42 AV-vendors think of the file. Usually when false-positives occurs you get support-tickets from clients (or server-owners) that some flow didnt work as expected - for example that they cannot download this particular pdf or such. However dealing with an IDP solution you must on daily basis look at it and tweak it in order to learn whats the baseline in your particular network. This way you get experience from what can be a false-positive and whats most likely not a false-positive. Its not uncommon that developers doesnt stick to RFCs and other guidelines or even best practices and use all sort of dirty stuff to communicate over the network and when you put a NGFW such as a PAN into your network then suddently all these bad behaviour shows up in the logs (for example when developers tries to tunnel stuff over already approved TCP/UDP-ports where old firewalls would allow TCP80 even if its SSH where PAN will block such attempts (if you configure it that way)). A common problem with IDPs is the chicken race regarding if blocking should be used or not. An IDP which use for example "failopen" for its interfaces is in my opinion not an IDP you can rely on. You should in this case see this unit as an IDS (or IDS+ :P) because when it fails it will suddently not block any traffic att all but let everything pass through. There can however be situations where a strict block policy can be bad.... For example what will happen if your firewall/idp/whatever suddently stops traffic from your CRL-server? In this case (in my opinion) you should verify how the equipment which relies on the CRL will function. A VPN-concentrator which cannot reach its CRL shall in my opinion not allow any new clients until the CRL can be reached again (or allow a manual override but this should really be a manual override). If you are still chicken about blocking you could then whitelist just this CRL server in your configuration and let all the other flows be blocked by default (while bad traffic to/from your CRL perhaps is set to alert). For example: Default Critical: Block High: Block Medium: Block Low: Block Informational: Block VIP Critical: Block High: Block Medium: Alert Low: Alert Informationl: Alert VIP_Alertonly Critical: Alert High: Alert Medium: Alert Low: Alert Informationl: Alert It also depends on which resources you are trying to protect. For example traffic to/from Internet I would prefer block for all levels (Critical, High, Medium, Low and Informational) while traffic to/from your internal servers to/from your internal clients I could accept to block just Critical, High and Medium (and set the rest to alert). Also you must take into account that the levels is set by PA themselfs and there are probably cases where they set something to Medium where you might consider it to be Low or even worse the other way around - if PA set something to Low which you would assume is at least Medium (for the case where Medium and higher is blocked and Low and lower is alert). ... View more

For debug-purposes it can be handy that you set your last cleanup rule to not only log on "session end" but also at "session start" (otherwise you would need to wait for the flow to finish before it shows up in the PAN logs). Usually session end gives you trafficvolume and application (which session start cannot show) so in case you dont need to know these (since the deny should be on the first bad packet) you can set the cleanup rule to only log on "session start" instead of "session end" (otherwise your log volume will go up if you didnt do this before). ... View more

For redundancy I would recommend you to use the DC1-DC2 tunnel as backup route for your clientsites (depending on how fat this pipe is or can be depending on your wallet and prices in your area). This way if CLIENT1-DC1 link fails but CLIENT1-DC2 still functions then CLIENT1 can still reach servers placed at DC1 (would of course need two metric 2 routes at each CLIENT site which I missed). You could enable QoS in your PAN to make sure that DC1-DC2 traffic is prioritzed over CLIENT-DC1-DC2 traffic. The proxy thingy was just to avoid having public ip's flowing around in your core. If you use a non-transparent proxy then only RFC1918 ip's (assuming you use private ip addresses such as 10., 172. or 192.) will flow through your core and in case one (or many) clients gets infected with a trojan or whatever its somewhat likely that this trojan/badware will try to reach its command and control and if you are lucky an IDS in the core (or the PAN itself) could then scream if it detects ip addresses which shouldnt exist in your network (looking at dstip). The tricky part without loadbalancer is how to use the two DC bluecoats. One workaround is to use PAC (Proxy Auto Config) files which the clients would load in order to find out how to reach Internet, see http://en.wikipedia.org/wiki/Proxy_auto-config for more information. The point of using DC's as gateways to reach Internet is to have fewer licenses, easier configuration (fewer devices to configure regarding url categories etc) but also consolidate logging. If you know that the client sites can only reach Internet through your internet firewalls and proxies at DCs it will be easier to collect these logs and also perform auditing and other operations on the collected logs. Also I assume that you will already have persons for 24/7 standby for the DC's but not necessary for each remote office (client site). But sure if you let each client-site reach Internet directly then they will be more autonomous in case both your DC's fails. Also you could use the content filtering in PAN instead of the BC and just use BC for the proxy stuff (like only allow pure-http and pure-https and such) and let the PAN handle AD-integration (userid), Antivirus, SSL-termination, IDP, URL-categories, AppID etc... ... View more

Is it possible for you to try to redeploy the 4.1.5 installation to see if this might fix your problems? I think another case involving 4.1.x was solved (as workaround) to install the same version twice (but with my goldfish memory I forgot which case). ... View more