About mikand

If possible update to 4.1.2. Could it be that the traffic you see isnt complete yet? The default in PAN is to log at session end, dunno how those features works if you log at session start aswell and then try to dig into a flow that have just started but not completed (and therefor perhaps doesnt yet have any more details to show)? ... View more

I think thats the more common way of using zones. The zone is just the description of the "interface" (no matter if the interface is physical such as EthernetX/Y or logical such as VLAN123). So instead of using "ethernet1.6/200" or "vlan123" you bring this interface a useful name such as "Internet". Which gives that your security rules looks like src zone: Internet dst zone: DMZ-DNS instead of src interface: Ethernet1.6/200 dst interface: Ethernet1.3/104 And then use address objects and address groups to further make your security rules easier to interpret when you are staring at them. Like (already mentioned): client-a-net = 2.0.0.0/27 client-b-net = 128.x.x.x/24 with group: client-internet = client-a-net, client-b-net And your security rule becomes: srczone: Internet src ip: client-internet src port: >1023 dstzone: DMZ-DNS dst ip: dns-servers dst port: specific (TCP53, UDP53) appid: dns profile: PROFILEGROUP_BLOCK action: allow ... View more

I guess you have already went through the stuff mentioned in QoS in PAN-OS 4.1 ... View more

I guess you already contacted your sales rep regarding this? A workaround should be to use a L3-switch in front of your PAN and setup a linknet between your PAN and the L3-switch. Like so (just an example): Clients: 10.0.0.0/16 (shitload of clients :smileysilly:) L3-switch int gi0/1: 10.0.255.254/16 (interface towards the clients, this ip is the defgw for the clients) L3-switch int gi0/2: 192.168.0.1/30 (interface towards the PAN) PAN int0: 192.168.0.2/30 (interface towards the L3-switch). then routing in the L3-switch: ip route 0.0.0.0 0.0.0.0 192.168.0.2 This way the PAN will only need to keep track of a single ARP entry (the mac-address for the L3-switch (192.168.0.1)) while your L3 switch will keep track (ARP-wise) of all the clients. ... View more

You mean like a destination NAT but instead of doing this at the ip level (replace dstip x.x.x.x with y.y.y.y) you do this at the url-level instead (replace http://www.xxx.com with http://www.yyy.com when the request is flowing through (or rather alter the "Host:" part of the http-header?))? Whats the main purpose of this (in order to help you out with a better solution)? Is it so the client who vists (and in their addressbar) have "www.google.com" but they are actually being served pages from "www.bing.com" (forward situation)? Or is it because you have a webserver where you cannot change the hostname/which domains it listens for (for one reason or another), like companyname, but your company just changed name so both the old and the new name must work (reverse situation)? Or is it a mix? Because if you alter the host-header you can still send the packet to the original dstip. Or do you change dstip aswell based on what the dns says that www.yyy.com points to? And if so, is this dns lookup performed only when you commit your rules or lookuped for each requst (or some buffer)? ... View more

Whats the output from the logs of your PAN unit when you does this? Is the login perhaps identified as web-browsing and since you allow web-browsing this will be allowed to pass? Also which appid database version do you currently use? ... View more

Did you escalate this as a supportcase through your sales engineer? Also go through and verify so not the convert script did any bad converts. You can also setup nat based on zones if im not mistaken. ... View more

I think its not uncommon (specially when it comes to these huge amount of logs) that one use Panorama only for somewhat shortterm digging and setup a dedicated syslogserver (either something just syslog-ng based or something more expensive such as Splunk or even Arcsight). This way the syslogserver will do all the archiving (and you can setup filters of what you want to save and which compression you wish to use - compared to Panorama who saves everything that each PAN unit is throwing at it) while the Panorama have the full blown easy to click GUI as you get with ACC. The Panorama can then also perform daily or weekly pdf-reports for management. Where the syslogserver is used to dig into logs which are older than they can fit in the Panorama (if you lets say retain logs in Panorama for the last 90 days (3 months) or so). On the other hand - how did the huge companies (often refered to by the marketing) setup their logging? I have also seen (I think it was in this forum) that each PAN device can roughly spit out 7000-9000 logrows/second as a peak. Dunno what happens when it got to much to do (if the logs are queued up or if they are just thrown away) - anyone who knows more details of the internals of PAN logging? Juniper for example have a "Oops - missed some" when the internal logengine cannot deal with all the logentries produced by the fabric. And a small tip regarding your design (which on the other hand is a matter of taste 😉 You could setup an outer-dmz and an inner-dmz on dedicated interfaces of each firewall and put your clients in the core. Like so: outer net <-> outer firewall <-> core <-> inner firewall <-> servers (inner-dmz) clients <-> core outer-dmz <-> outer firewall inner-dmz <-> inner firewall This way a client who needs to reach the outer net will be: client <-> core <-> outer firewall <-> outer net while if it wants to reach an internal server it will be: client <-> core <-> inner firewall <-> server (inner-dmz) ... View more

Whats your settings of ssl-decrypt along with decryption? You need to choose "trusted root CA" along with "forward-untrust-certificate" and "forward-trust-certificate" if im not mistaken. Then in decryption you can set it up as: Name: SSL-termination Category: any Type: ssl-forward-proxy from: any to: any source: any destination: any source-user: any block-if-failed-to-decrypt: yes negate-source: no negate-destination: no action: decrypt In from/to/source/destination you will limit for which flows it should step in and do the MITM stuff. It can for example be wise to use client-iprange as source in your case. Then regarding current VSYS you can setup: allow-forward-decrypted-content: yes You can upload customized block pages but I think you can in the GUI go back to the factory default. Also verify that you in the antivirusprofile for this particular rule have setup so "http" is set to "block" (I think this is in the defaultprofile already). ... View more

Regarding setting service then of course if you limit lets say web-browsing down to TCP80 (where the TCP80 is put in servicecolumn) then it wont be able to detect web-browsing which is passing at TCP8080 or any other port for this particular rule (because that will be dropped if you use a classic whitelisting setup of rules meaning a bunch of allowrules which in the end have a deny+log). But I think it can be sane to manually specify which ports you wish to limit because even if the grand feature of PaloAlto is application detection it doesnt mean that it will always succeed in detecting such applications not to mention that "service-default" might change over time. Also if you set a huge range of ports (or "any" for that matter) - before an application can be identified the traffic must be let through (depending on what the payload is). A simple test is to send "a b c" as a HTTP-request to a webserver hidden behind a PAN and you will notice that PAN will let this packet through to the server, but as soon as the server replies the reply will be not let back to the client (because it is when PAN gets the reply from the server it knows that the requst was HTTP and not something that just use TCP80 which means that the flow will be denied once it figured out the flow is not about web-browsing and your rule only allows web-browsing). So in my case I recommend to first setup the rule in PAN as you would with a normal SPI-based firewall. And then choose appid for that rule then finally go to the service column and change specific ports into either manully defined range/ports or "service default" or "any" for very chatty procotols (for example many Microsoftbased is badly constructed from a network point of view). One of the points of using a NGFW is to improve the security by setting up rules not only on port but also application. If you set "any" as service you will in many cases lower the security at least for the first few packets. ... View more

Did you read the pages I recommended you in the pdf? Page 78 describes inter-vsys communications (if you want this). One can also use shared gateway (described at page 79) for some situations. So if you want vsys0 to communicate with vsys1 you have basically three options (unless I missed something): 1) vsys0 (ethX) -> (int0/1) L2/L3-switch/router (int0/2) -> vsys1 (ethY) This way your vsys wont touch each other inside your PAN. 2) vsys0 (zoneX) -> vsys1 (zoneY) This way the traffic never leaves the box and is routed internally instead. Im not sure if you can perform tcpdump in this mode (as with 1 above where you can just span the interface you want on the L2/L3-switch/router to record traffic). Another downside with internal routing is if you (in case of emergency) must cut the connection for a certain vsys. If you use physical interfaces you can just disconnect the cables - otherwise you need to login to the device and shutdown the interfaces and then commit. 3) vsys0 (ethX) -> shared gateway (internally in PAN) -> vsys1 (ethY) This is like a combo between 1 and 2 above. Shared gateway (as described in page 79) is when you for example only have a single cable (or single ip) from the uplinkprovider. I dont remember in which order you can assign the subinterfaces but I think you first create the VSYS and then when you setup interfaces you choose which vsys and vrouter it belongs to. In my case the setup was really easy (something like): VSYS0 (eth0-3), VSYS1 (eth4-7), VSYS2 (eth8-11). This way I could use the 10G interfaces for uplink and downlink and then bond 2x1G to the DMZ-switches. So PAN1 had (for each VSYS): 10G: Uplink (internetrouter1) 2x1G: DMZ (switch1, LACP) 10G: Downlink (corerouter1) and PAN2 had: 10G: Uplink (internetrouter2) 2x1G: DMZ (switch2, LACP) 10G: Downlink (corerouter2) and then a couple of cables (in LACP) between each DMZ-switch1 and DMZ-switch2 (in total 2 DMZ-switches per VSYS just to get physical separation). Oh and in my case only 2 of the VSYS had 10G links while the 3rd had to use "only" 1G for uplink/downlink. But this is up to you how you wish to construct/design this regarding how much of separation you wish between the different DMZ's for the different VSYS. Another design would be if you use 2x10G bonded for downlink and connect that internally to a shared gateway. And do the same for uplink (but to another internal shared gateway). And then hook each interface for each VSYS to each shared gateway. And finally use the rest of the 1G interfaces as a large LACP bond to DMZ (and then use VLANs to separate them). But I dunno if this will actually work 🙂 Like so: Shared gateway Internet: LACP(eth10G_0, eth10G_1) Shared gateway Core: LACP(eth10G_2, eth10G_3) Shared gateway DMZ: LACP(eth1G_4, eth1G_5,eth1G_6,eth1G_7,eth1G_8,eth1G_9,eth1G_10,eth1G_11) VSYS0: int_Internet: Shared gateway Internet int_Core: Shared gateway Core int_DMZ: Shared gateway DMZ VSYS1: int_Internet: Shared gateway Internet int_Core: Shared gateway Core int_DMZ: Shared gateway DMZ VSYS2: int_Internet: Shared gateway Internet int_Core: Shared gateway Core int_DMZ: Shared gateway DMZ DMZ-switch1: DMZ_PAN1: LACP(int0/1-7) DMZ_switch2: LACP(int0/8-15) DMZ-switch2: DMZ_PAN2: LACP(int0/1-7) DMZ_switch1: LACP(int0/8-15) ... View more

If possible try to setup on session start and on session end for this particular user. Or do you perhaps see something this client ip in the logs as it is today? Because if the PAN blocks you should get a log about this (you might need to setup a specific block and log rule in the bottom because the PAN wont log by default). ... View more

Its pretty straight forward... Check page 77 and onwards in https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=PA-4.1_Administrators_Guide.pdf To define virtual systems, you must first enable the definition of multiple virtual systems. To do so, open the Device > Setup page, click the Edit link under General Settings in the Management tab, and select the Multi Virtual System Capability check box. This adds a Virtual Systems link to the side menu. I think you need to reboot aswell. You can now open the Virtual Systems page, click Add, and specify the information you wish for each VSYS. After you have created your VSYS you might want to define which physical interface will belong to which VSYS. If you use each VSYS with L3 you will also need to setup Virtual Routers (click in the network menu) and bind each Virtual router to each interface (or if it was each vsys). The Virtual router is the routingtable used (if you are used with Cisco you can think of VRF). Then when you create objects or rules you can switch between the VSYS in a dropdown box at top. When creating objects you can choose to either place them in just a singel VSYS (by selecting which VSYS) or by placing them in "Shared". Stuff placed in shared is available for all VSYS. Lets say you create a group of DNS-servers: object: ns1, 10.0.0.1 (shared) object: ns2, 10.0.0.2 (shared) group: NS-servers: ns1, ns2 (shared) ... View more

If im not mistaken the logs is on their own partition so login with ssh and run "df -h" should work. ... View more

Thanks for returning with followup of the result 🙂 ... View more