About mikand

I would also like to place myself in this feature-line regarding ability to (per security rule) define if the traffic should be denied (drop) or rejected (drop-reset). Perhaps it could be called just "deny" vs "deny-rst" in the gui. Would also be nice to be able to define if icmp-unreachable should be sent or not. ... View more

When you login to https://support.paloaltonetworks.com/ click on "Threat Database" in "Find Answers" (to the left or the right). In the search box type "33939" (without the quotes), make sure "vulnerability" (for this case) is selected in "type" and finally click on the Find-button. However... doing the above will only bring you the obvious: " Detail Attack Name     PDF Exploit Evasion Found Description     This alert indicates that PDF exploit evasion has been found on your network. Threat ID     33939 Severity     informational Category     info-leak " So ehm... anyone else with ideas? 🙂 ... View more

Just to clearify, its not me who wrote that post over at Cisco forums. ... View more

According to tests made by NSS Labs the PA boxes performed 115% of stated performance mentioned in the datasheets. I dont know if this is valid for the PA-500 since the test was performed on a 4xxx/5xxx box. Another observation in these tests was that it basically didnt matter if you enabled/disabled scanning features such as the IDP, AV etc. As a sidenote higher throughput was observered when ALL features was enabled compared to when only one feature at a time was enabled. ... View more

Here is that post from Cisco forum in question (in case someone is too shy to click on the above link 😉 " thaer.ontabli 5 posts since Mar 20, 2011 Mar 13, 2012 7:35 AM (in response to david.tran@finra.org) ASA's vs Palo Alto firewalls? This is my experience with Palo Alto: A PA Engineer spec’ed out two 2050 for our environment of approx. 1000 user. Soon after the box was installed I discovered a couple of issues with their 3.x OS: 1 ) User activity report not giving accurate reporting, it’s all messed up and doesn’t match what’s in the log. Support confirmed it’s a bug and I filed three cases (every time I escalate or they tell me they have a fix I had to open another ticket ) case# 15350, 21993, 30788. The case took more than 5 months and was never fixed until OS 4 was released 2 ) QoS does not work when you filter application with application grouping. Alternate is you have to enter every application manually in a rule to filter out for example all P2P applications need to be entered in a rule instead of grouping all P2P in an object. Case was open for more than 5 months until it was fixed in OS 4. Case # 22967, 23047 3) Web, SSL VPN, captive portal services crashes. Service crash for some reason and the fix for it with OS 3 were for me to call support and have them login and restart the service for me. Was very frustrating as more than 6 months past with support and engineers having no idea what’s going on. A lot of cases were open and closed. Case # 32874 With OS 4 released: 1 ) still having issues with web, ssl, and captive portal service crashing. Now with OS 4 they made the services auto restart so I don’t have to call them, but now the problem the service is crashing in the back end three times a day causing the services to be unresponsive which I think is related to the next case 2 ) Gui or CLI interface very slow and impossible to apply any changes during daytime without having the commit job fail two or three times. Called support and they think it’s a bug with the software OS 4. Now its release 4.1.3 and still no fix or clue as to what is wrong. 3 ) VPN Global Protect is ridiculous. Client would act in a weird way by going into infinite state of trying to connect. On some client it will just not work until the client machine is formatted. Now its Global Protect release 1.1.3 and still no fix. There a lot more smaller issues not worth mentioning as there is a work around to them or you can ignore them. I had my sales rep involved with all these cases and was not able to do anything to expedite or get a firm ETA with Palo Alto support. My sales rep was able to get me a demo of PA4050 which seemed to resolve 80% of the problems, so I went back to support and told them if a PA4050 fixed the problem doesn’t that mean the engineer undersized the box for our environment. They kept refusing that idea and claiming there is a bug with the OS. Now after two years it got to a point where it’s just a waste of time to go back to support that I just closed all the cases and working on slowly replacing the system " ... View more

Well actually if your ISP would have a route back to your PAN for your DMZ... would it work or would it end up with a routing loop? ... View more

I hope you mean shouldNT? Since directly attached networks wont need routing. ... View more

Will the following work as a workaround for you (until PA fixed ability to inject code into streams)? https://live.paloaltonetworks.com/docs/DOC-1399 https://live.paloaltonetworks.com/docs/DOC-1657 This way you can at least mostly block users from accessing safesearch=off or whatever you prefer. ... View more

Hopefully someone form PA see these instructions and can push them into Panorama so Panorama will just "Do you wish to import the configuration from device 1.2.3.4?" 🙂 ... View more

I cant find anything regarding this in the manual. I think you should file this as a feature request and at the same time ask for the ability to do the same for the other mgmt services such as http, https, telnet and snmp. ... View more

I know a real DHCP server can solve this however the point here was to avoid using external devices for the particular network and use the built in DHCP server of the PAN device instead (basically to save some money since this was a best effort network and not really prioritized). In the particular case not all our networks had switches capable of dhcpsnooping so we couldnt rely on option82. However the switches who could do this would have dhcpsnooping enabled and the sideeffect of using PAN for DHCP in this case was also to get the option82 logs in the same view as srcip. This way in order to track down a particular client you would only have to go to the ACC of the PAN and voila - everything is there (srcip, option82 (meaning physical interface in your access-network) etc). When you use a real DHCP server you would need to match the logs between the PAN and the DHCP server (not to mention that this DHCP server also costs some money to buy even if you use ISC DHCP and Linux the hardware still needs to be aquired). ... View more

Two simultaneous code trains? Try to make it three now when PANOS 5.0 seems to be scheduled for release in Q2 2012... Also your observations makes me wonder... what does PA use for themselfs? I mean Im pretty sure that these bugs must have been available for PA's internal network aswell (given that PAN devices are being used there and that your bugs are not RMA related) - or does PA internally use some other codepath or even hardware? Some time ago there were some laughs regarding that the Microsoft ISA team (Microsoft "firewall") didnt trust their own product because they used Freebsd and the firewall in there to protect their own dev-networks instead of using the ISA. ... View more

Could you throw me in aswell into this watchlist regarding DHCP options as a feature request? If im not mistaken I was whining about this 2-3 years ago along with per vlan DHCP server (the idea with the later is to terminate VLANs into the PAN and depending on which VLAN the client sits on it will get different ip-address along with defgw ip etc - however handling DHCP options would solve this on its own, such as option82 from the dhcpsnooping in the access-switches). ... View more

Thats the idea of the mgmtplane vs dataplane in PAN. The mgmtplane is a regular x86 cpu taking care of GUI, compiling configurations (when you click commit) and handle all the logs. Also for smaller models the mgmtplane will also take care of the on-the-fly generation of MITM certs for SSL-inspection. The dataplane is a fpga/asic (depending on box) where all the traffic is being handled (and for (I think) 5xxx models includes on-the-fly generation of MITM certs for SSL-inspection). This gives that even during a DDoS situation where the dataplane is maxed out your GUI should work without problems (depending on your logsettings etc since all the logs that the dataplane pukes out will be handled by the mgmtplane if you have setup to log stuff). With that said having a high "cpu utilization" for the dataplane isnt really an issue until it hits the 100% mark and latency will start to occur. Also the utilization doesnt seem to be linear either. Like if you with 2.500 concurrent sessions see 25% data-cpu it doesnt mean that the max limit will be 10.000 concurrent sessions but rather 20.000, 30.000 or so (just an example). ... View more